Regarding the shell shock vulnerability, and assuming the host where Splunk or Splunkforwarder is running has the shell shock vulnerability, is it possible to invoke the vulnerability via the splunkweb(8000) or mgt ports(8089)?
http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
http://blogs.splunk.com/2014/09/24/finding-shellshock-cve-2014-6271-with-splunk-forwarders/
No it is not. Splunk will only call external processes in response to user actions in:
In all cases, the external program must be placed in specific locations on the system by an administrator. By default, there are no scripts or programs that invoke bash in current or recent versions of Splunk. The administrator can of course create vulnerabilities by placing and allowing access to dangerous programs. But the shellshock bash vulnerability can not be invoked.
No it is not. Splunk will only call external processes in response to user actions in:
In all cases, the external program must be placed in specific locations on the system by an administrator. By default, there are no scripts or programs that invoke bash in current or recent versions of Splunk. The administrator can of course create vulnerabilities by placing and allowing access to dangerous programs. But the shellshock bash vulnerability can not be invoked.
Updated guidance from Splunk: http://www.splunk.com/view/SP-CAAANJN
Please check back for more updates. While it is the case that a default Splunk installation will not be vulnerable to shellshock, we hope to provide more specific information warning you where you could be vulnerable if you install or configure shell scripts. If you are in this situation or are not sure, you may want to simply patch bash.
Thanks for the quick response!