CVE-2023-32712

Name of the Vulnerable Software and Affected Versions Splunk Enterprise versions prior to 9.1.0.2 Splunk Enterprise versions prior to 9.0.5.1 Splunk Enterprise versions prior to 8.2.11.2 Universal Forwarder versions prior to 9.1.0.2 Universal Forwarder versions prior to 9.0.5.1 Universal Forwarder versions prior to 8.2.11.2

Description The issue is related to the improper handling of log output, allowing an attacker to inject American National Standards Institute (ANSI) escape codes into log files. When a vulnerable terminal application reads these logs, it can potentially lead to code execution in the application. This requires a user to use a terminal that supports ANSI escape code translation and to perform additional interactions to exploit. The vulnerability can be exploited through a specially crafted web URL or by sending a specially crafted HTTP request containing ANSI escape codes.

Recommendations For Splunk Enterprise versions prior to 9.1.0.2, update to version 9.1.0.2 or later. For Splunk Enterprise versions prior to 9.0.5.1, update to version 9.0.5.1 or later. For Splunk Enterprise versions prior to 8.2.11.2, update to version 8.2.11.2 or later. For Universal Forwarder versions prior to 9.1.0.2, update to version 9.1.0.2 or later. For Universal Forwarder versions prior to 9.0.5.1, update to version 9.0.5.1 or later. For Universal Forwarder versions prior to 8.2.11.2, update to version 8.2.11.2 or later. As a temporary workaround, consider disabling the use of ANSI escape codes in log files until a patch is available. Restrict access to management services in Universal Forwarder to minimize the risk of exploitation.