Denial Of Service due to Untrusted XML Tag in XML Parser within SAML Authentication
Advisory ID: SVD-2023-0601
CVE ID: CVE-2023-32706
Last Update: 2023-06-01
CVSSv3.1 Score: 7.7, High
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Bug ID: SPL-224292
An unauthenticated attacker can send specially-crafted messages to the XML parser within SAML authentication to cause a denial of service in the Splunk daemon. This happens when an incorrectly configured XML parser receives XML input that contains a reference to an entity expansion. Many recursive references to entity expansions can cause the XML parser to use all available memory on the machine, causing the Splunk daemon to crash or be terminated by the operating system.
For Splunk Enterprise, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher.
For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.
|Product||Version||Component||Affected Version||Fix Version|
|Splunk Enterprise||8.1||Splunk Web||8.1.0 to 8.1.13||8.1.14|
|Splunk Enterprise||8.2||Splunk Web||8.2.0 to 8.2.10||8.2.11|
|Splunk Enterprise||9.0||Splunk Web||9.0.0 to 9.0.4||9.0.5|
|Splunk Cloud Platform||9.0.2303 and below||Splunk Web||9.0.2303.100|
Mitigations and Workarounds
Disable single sign-on using SAML as an authentication scheme (SAML SSO). For more information on this type of configuration, see Configure single sign-on with SAML in the Splunk documentation.
Splunk rated the vulnerability as High, 7.7 with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H.
If the Splunk Enterprise instance does not use SAML SSO for authentication, there is no impact and the severity is Informational.
Vikram Ashtaputre, Splunk