CVE-2023-32706: Denial Of Service due to Untrusted XML Tag in XML Parser within SAML Authentication

Advisory ID: SVD-2023-0601

Published: 2023-06-01

Last Update: 2023-06-01

CVSSv3.1 Score: 7.7, High

Description

An unauthenticated attacker can send specially-crafted messages to the XML parser within SAML authentication to cause a denial of service in the Splunk daemon. This happens when an incorrectly configured XML parser receives XML input that contains a reference to an entity expansion. Many recursive references to entity expansions can cause the XML parser to use all available memory on the machine, causing the Splunk daemon to crash or be terminated by the operating system.

Solution

For Splunk Enterprise, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher.

For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.

Product Status

Product

Version

Component

Affected Version

Fix Version

Splunk Enterprise

8.1

Splunk Web

8.1.0 to 8.1.13

8.1.14

Splunk Enterprise

8.2

Splunk Web

8.2.0 to 8.2.10

8.2.11

Splunk Enterprise

9.0

Splunk Web

9.0.0 to 9.0.4

9.0.5

Splunk Cloud Platform

9.0.2303 and below

Splunk Web

9.0.2303.100

Mitigations and Workarounds

Disable single sign-on using SAML as an authentication scheme (SAML SSO). For more information on this type of configuration, see Configure single sign-on with SAML in the Splunk documentation.

Detections

None

Severity

Splunk rated the vulnerability as High, 7.7 with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H.

If the Splunk Enterprise instance does not use SAML SSO for authentication, there is no impact and the severity is Informational.

Acknowledgments

Vikram Ashtaputre, Splunk