CVE-2023-40594: Denial of Service (DoS) via the ‘printf’ Search Function

Advisory ID: SVD-2023-0803

Published: 2023-08-30

Last Update: 2023-08-30

CVSSv3.1 Score: 6.5, Medium

Description

In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can use the ‘printf’ SPL function to perform a denial of service (DoS) against the Splunk Enterprise instance through a crash of the Splunk daemon.

The printf function does not properly validate expressions in certain cases in combination with commands like fieldformat that occur earlier in the search pipeline. This failure to validate results in a crash of the Splunk daemon and the subsequent DoS.

Solution

Upgrade Splunk Enterprise to versions 8.2.12, 9.0.6, or 9.1.1.

Splunk is actively monitoring and patching Splunk Cloud Platform instances.

Product Status

Product

Version

Component

Affected Version

Fix Version

Splunk Enterprise

8.2

Splunk Web

8.2.0 to 8.2.11

8.2.12

Splunk Enterprise

9.0

Splunk Web

9.0.0 to 9.0.5

9.0.6

Splunk Enterprise

9.1

Splunk Web

9.1.0

9.1.1

Splunk Cloud

-

Splunk Web

9.0.2305.100 and below

9.0.2305.200

Mitigations and Workarounds

If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file in the Splunk documentation for more information on disabling Splunk Web.

Detections

None

Severity

Splunk has rated this vulnerability as 6.5, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

Acknowledgments

Danylo Dmytriiev (DDV_UA)