Headline
CVE-2023-40593: Denial of Service (DoS) in Splunk Enterprise Using a Malformed SAML Request
In Splunk Enterprise versions lower than 9.0.6 and 8.2.12, a malicious actor can send a malformed security assertion markup language (SAML) request to the /saml/acs REST endpoint which can cause a denial of service through a crash or hang of the Splunk daemon.
Advisory ID: SVD-2023-0802
Published: 2023-08-30
Last Update: 2023-08-30
CVSSv3.1 Score: 6.3, Medium
Description
In Splunk Enterprise versions lower than 9.0.6, and 8.2.12, an attacker can send a malformed security assertion markup language (SAML) request to the /saml/acs REST endpoint which can cause a denial of service through a crash or hang of the Splunk daemon.
The SAML extensible markup language (XML) parser does not fail SAML signature validation when the attacker modifies the URI in the SAML request. Instead it attempts to access the modified URI, which causes the Splunk daemon to crash or hang.
Solution
Upgrade Splunk Enterprise to versions 8.2.12 and 9.0.6. This vulnerability does not affect Splunk Enterprise versions 9.1.0 and higher.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
Product
Version
Component
Affected Version
Fix Version
Splunk Enterprise
8.2
Splunk Web
8.2.0 to 8.2.11
8.2.12
Splunk Enterprise
9.0
Splunk Web
9.0.0 to 9.0.5
9.0.6
Splunk Cloud
-
Splunk Web
9.0.2305.100 and below
9.0.2305.200
Mitigations and Workarounds
No mitigations
Detections
None
Severity
Splunk rates this vulnerability as 6.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H.
Acknowledgments
Aaron Devaney (Dodekeract)