CVE-2024-22165 Overview
CVE-2024-22165 is a denial of service (DoS) vulnerability affecting Splunk Enterprise Security (ES) versions prior to 7.1.2. An authenticated attacker with permission to create Investigations can craft a malformed Investigation object that blocks the Investigations manager from generating and rendering for all users. The condition persists until an administrator manually deletes the offending Investigation.
The flaw is categorized under [CWE-20] Improper Input Validation. While the issue does not impact confidentiality or integrity, it renders the Investigations functionality unusable for most analysts relying on the manager view.
Critical Impact
A single authenticated user can disable the Investigations manager across the Splunk ES deployment, suppressing case management workflows for the entire security team until manual remediation.
Affected Products
- Splunk Enterprise Security versions below 7.1.2
- Splunk Cloud Platform deployments running affected ES app versions
- All ES instances where users have permission to create Investigations
Discovery Timeline
- 2024-01-09 - CVE-2024-22165 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-22165
Vulnerability Analysis
The vulnerability resides in how Splunk Enterprise Security handles Investigation objects submitted through its user interface and API. The Investigations feature in Splunk ES provides case management for security analysts to track incidents, evidence, and remediation steps. When a user creates an Investigation, the application stores the object and renders it within the centralized Investigations manager view.
Splunk ES does not properly validate the structure and content of Investigation objects before persisting them. An authenticated attacker can submit a malformed Investigation that the rendering logic cannot parse. When the Investigations manager attempts to enumerate stored Investigations to build its view, the malformed object causes the generation process to fail.
The failure mode is global rather than per-user. Once the malformed Investigation exists in the data store, no user can access the Investigations manager. Recovery requires identifying and deleting the malformed object through administrative intervention.
Root Cause
The root cause is improper input validation [CWE-20] on Investigation creation. The application accepts Investigation payloads containing fields or structures that violate the parser's expectations during list rendering. Because the validation gap exists at write time, the malformed state persists across sessions and restarts.
Attack Vector
Exploitation requires network access to the Splunk ES web interface or REST API and an authenticated session with privileges to create Investigations. The attacker submits a single crafted Investigation payload. No additional user interaction is required. Following submission, the Investigations manager becomes inaccessible to all users until the malformed object is removed.
The vulnerability mechanism is described in the Splunk Security Advisory SVD-2024-0102 and the Splunk Research Analysis. No public proof-of-concept code is available.
Detection Methods for CVE-2024-22165
Indicators of Compromise
- Investigations manager page failing to load or returning rendering errors for all users
- Recent Investigation creation events in Splunk _audit index immediately preceding the manager outage
- Error entries in splunkd.log related to Investigation parsing or serialization failures
- Unusual Investigation creation activity from low-privilege or service accounts
Detection Strategies
- Monitor Splunk audit logs for Investigation creation API calls using the /services/notable_update and Investigations REST endpoints
- Alert on user accounts creating Investigations outside of established analyst workflows or baselines
- Correlate Investigations manager errors with the most recent Investigation creation event to identify the offending object
- Review the Splunk research detection referenced in the Splunk Research Analysis for vendor-provided identification logic
Monitoring Recommendations
- Track the version of the Splunk ES app across all search heads to confirm patch status
- Configure alerting on rendering exceptions emitted by the Investigations manager component
- Audit role assignments granting the edit_notable_events and Investigation creation capabilities
- Maintain log retention sufficient to attribute malformed Investigations to a specific user and session
How to Mitigate CVE-2024-22165
Immediate Actions Required
- Upgrade Splunk Enterprise Security to version 7.1.2 or later as documented in SVD-2024-0102
- Review which roles have permission to create Investigations and remove the capability from accounts that do not require it
- Inspect existing Investigations for malformed entries if the Investigations manager is currently inaccessible
- Enforce multi-factor authentication on all Splunk ES accounts to reduce risk from credential compromise
Patch Information
Splunk addressed CVE-2024-22165 in Splunk Enterprise Security version 7.1.2. Administrators should plan an upgrade through the standard Splunk app deployment process. Full remediation details and downloads are available in the Splunk Security Advisory SVD-2024-0102.
Workarounds
- Restrict the Investigation creation capability to a small, trusted set of analyst roles until patching is complete
- Establish an operational runbook to identify and delete malformed Investigation objects via the REST API if the manager becomes unavailable
- Monitor the _audit index for Investigation creation events to enable rapid attribution and rollback
# Check installed Splunk Enterprise Security version
/opt/splunk/bin/splunk display app SplunkEnterpriseSecuritySuite
# List recent Investigation creation events for triage
/opt/splunk/bin/splunk search 'index=_audit action=create object_category=investigation earliest=-24h' -auth admin:<password>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
