Headline
CVE-2023-40595: Remote Code Execution via Serialized Session Payload
In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can execute a specially crafted query that they can then use to serialize untrusted data. The attacker can use the query to execute arbitrary code.
Advisory ID: SVD-2023-0804
Published: 2023-08-30
Last Update: 2023-08-30
CVSSv3.1 Score: 8.8, High
Description
In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can execute a specially crafted query that they can then use to serialize untrusted data. The attacker can use the query to execute arbitrary code.
The exploit requires the use of the collect SPL command which writes a file within the Splunk Enterprise installation. The attacker can then use this file to submit a serialized payload that can result in execution of code within the payload.
Solution
Upgrade Splunk Enterprise to versions 8.2.12, 9.0.6, or 9.1.1.
For Splunk Cloud Platform, Splunk is actively monitoring and patching affected instances.
Product Status
Product
Version
Component
Affected Version
Fix Version
Splunk Enterprise
8.2
Splunk Web
8.2.0 to 8.2.11
8.2.12
Splunk Enterprise
9.0
Splunk Web
9.0.0 to 9.0.5
9.0.6
Splunk Enterprise
9.1
Splunk Web
9.1.0
9.1.1
Splunk Cloud
-
Splunk Web
9.0.2305.100 and below
9.0.2305.200
Mitigations and Workarounds
If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file in the Splunk documentation for more information on disabling Splunk Web.
Detections
None
Severity
Splunk rated the vulnerability as High, 8.8, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
If the Splunk Enterprise instance does not run Splunk Web, there is no impact and the severity is Informational.
Acknowledgments
Danylo Dmytriiev (DDV_UA)