CVE-2023-32716: Denial of Service via the 'dump' SPL command

Advisory ID: SVD-2023-0611

Published: 2023-06-01

Last Update: 2023-06-01

CVSSv3.1 Score: 6.5, Medium

Description

An attacker can exploit a vulnerability in the ‘dump’ SPL command to cause a denial of service by crashing the Splunk daemon. If the attacker supplies a longer-than-expected filename with the command, a memory access violation, or segmentation fault, occurs, which results in a crash of the Splunk platform instance.

Solution

For Splunk Enterprise, upgrade to versions 9.0.5, 8.2.11, 8.1.14, and higher.

For Splunk Cloud Platform, Splunk is actively monitoring and patching affected instances.

Product Status

Product

Version

Component

Affected Version

Fix Version

Splunk Enterprise

8.1

Splunk Web

8.1.0 to 8.1.13

8.1.14

Splunk Enterprise

8.2

Splunk Web

8.2.0 to 8.2.10

8.2.11

Splunk Enterprise

9.0

Splunk Web

9.0.0 to 9.0.4

9.0.5

Splunk Cloud Platform

Splunk Web

9.0.2303 and below

9.0.2303.100

Mitigations and Workarounds

Remove the ‘run_dump’ capability from any roles that users hold.

Detections

• Splunk DoS via dump SPL command

This hunting detection search provides information about possible denial of service exploitation attempts in Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14.

Severity

Splunk rated this vulnerability as Medium, 6.5, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.

Acknowledgments

Danylo Dmytriiev (DDV_UA)