CVE-2024-36984: 
Splunk Enterprise vulnerability analysis and mitigation

A high-severity vulnerability (CVE-2024-36984) was discovered in Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 on Windows. The vulnerability allows an authenticated user to execute arbitrary code through serialized session payloads. This security flaw was disclosed on July 1, 2024, and received a CVSS v3.1 base score of 8.8 (High) (Splunk Advisory, SecurityWeek).

The vulnerability stems from an insecure handling of serialized data in Splunk Enterprise. The exploit requires the use of the collect SPL command which writes a file within the Splunk Enterprise installation. An attacker can then use this file to submit a serialized payload that could result in execution of code within the payload. The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) (NVD, Splunk Advisory).

If successfully exploited, this vulnerability could allow an authenticated attacker to execute arbitrary code on the affected Splunk Enterprise instance, potentially leading to complete system compromise. The high CVSS score of 8.8 reflects the significant potential impact on system confidentiality, integrity, and availability (SecurityWeek, Splunk Advisory).

Splunk has released patches to address this vulnerability. Organizations are advised to upgrade to Splunk Enterprise versions 9.2.2, 9.1.5, or 9.0.10 or higher. As a workaround, if users do not log in to Splunk Web on indexers in a distributed environment, administrators can disable Splunk Web on those indexers (Splunk Advisory).