CVE-2022-32158: 
Splunk Forwarder vulnerability analysis and mitigation

CVE-2022-32158 is a critical vulnerability in Splunk Enterprise deployment servers discovered in versions prior to 8.1.10.1, 8.2.6.1, and 9.0. The vulnerability allows deployment clients to deploy forwarder bundles to other deployment clients through the deployment server. This security flaw received a CVSS v3.1 score of 9.0 (Critical) (Splunk Advisory).

The vulnerability exists in the deployment server functionality where clients can leverage the server to deploy forwarder bundles to other clients. The critical severity is reflected in its CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H. The vulnerability specifically affects Splunk Enterprise deployment servers in versions before 8.1.10.1, 8.2.6.1, and 9.0. It's important to note that the Splunk Cloud Platform (SCP) is not affected by this vulnerability as it does not offer or use deployment servers (Splunk Advisory).

If exploited, an attacker who has compromised a Universal Forwarder endpoint could execute arbitrary code on all other Universal Forwarder endpoints that are subscribed to the deployment server. The impact is particularly severe in environments where deployment servers are actively used for managing multiple Universal Forwarder endpoints (SecurityWeek, Splunk Advisory).

The primary mitigation is to upgrade Splunk Enterprise deployment servers to version 8.1.10.1, 8.2.6.1, or 9.0 or later. For organizations that don't run a Deployment Server or use the Deployment Server functionality, the vulnerability is not applicable. Organizations can also temporarily disable the Deployment Server functionality without disabling the server as a workaround (Splunk Advisory).