Denial Of Service due to Untrusted XML Tag in XML Parser within SAML Authentication
Advisory ID: SVD-2023-0601
CVE ID: CVE-2023-32706
Published: 2023-06-01
Last Update: 2023-06-01
CVSSv3.1 Score: 7.7, High
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
CWE: CWE-611
Bug ID: SPL-224292
Description
An unauthenticated attacker can send specially-crafted messages to the XML parser within SAML authentication to cause a denial of service in the Splunk daemon. This happens when an incorrectly configured XML parser receives XML input that contains a reference to an entity expansion. Many recursive references to entity expansions can cause the XML parser to use all available memory on the machine, causing the Splunk daemon to crash or be terminated by the operating system.
Solution
For Splunk Enterprise, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher.
For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 8.1 | Splunk Web | 8.1.0 to 8.1.13 | 8.1.14 |
| Splunk Enterprise | 8.2 | Splunk Web | 8.2.0 to 8.2.10 | 8.2.11 |
| Splunk Enterprise | 9.0 | Splunk Web | 9.0.0 to 9.0.4 | 9.0.5 |
| Splunk Cloud Platform | 9.0.2303 and below | Splunk Web | 9.0.2303.100 |
Mitigations and Workarounds
Disable single sign-on using SAML as an authentication scheme (SAML SSO). For more information on this type of configuration, see Configure single sign-on with SAML in the Splunk documentation.
Detections
None
Severity
Splunk rated the vulnerability as High, 7.7 with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H.
If the Splunk Enterprise instance does not use SAML SSO for authentication, there is no impact and the severity is Informational.
Acknowledgments
Vikram Ashtaputre, Splunk