CVE-2021-3422

Name of the Vulnerable Software and Affected Versions Splunk Enterprise versions prior to 7.3.9 Splunk Enterprise versions 8.0 prior to 8.0.9 Splunk Enterprise versions 8.1 prior to 8.1.3

Description The issue is related to the lack of validation of a key-value field in the Splunk-to-Splunk protocol, resulting in a denial-of-service in Splunk Enterprise instances configured to index Universal Forwarder traffic. It does not impact Universal Forwarders. When Splunk forwarding is secured using TLS or a Token, the attack requires compromising the certificate or token, or both. Implementation of either or both reduces the severity to Medium.

Recommendations For versions prior to 7.3.9, update to version 7.3.9 or later. For versions 8.0 prior to 8.0.9, update to version 8.0.9 or later. For versions 8.1 prior to 8.1.3, update to version 8.1.3 or later. As a partial mitigation and a security best practice, consider securing Splunk forwarding using TLS or a Token to reduce the severity to Medium.