Denial Of Service due to Untrusted XML Tag in XML Parser within SAML Authentication

Advisory ID: SVD-2023-0601

CVE ID: CVE-2023-32706

Published: 2023-06-01

Last Update: 2023-06-01

CVSSv3.1 Score: 7.7, High

CWE: CWE-611

Bug ID: SPL-224292

Description

An unauthenticated attacker can send specially-crafted messages to the XML parser within SAML authentication to cause a denial of service in the Splunk daemon. This happens when an incorrectly configured XML parser receives XML input that contains a reference to an entity expansion. Many recursive references to entity expansions can cause the XML parser to use all available memory on the machine, causing the Splunk daemon to crash or be terminated by the operating system.

Solution

For Splunk Enterprise, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher.

For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise8.1Splunk Web8.1.0 to 8.1.138.1.14
Splunk Enterprise8.2Splunk Web8.2.0 to 8.2.108.2.11
Splunk Enterprise9.0Splunk Web9.0.0 to 9.0.49.0.5
Splunk Cloud Platform9.0.2303 and belowSplunk Web9.0.2303.100

Mitigations and Workarounds

Disable single sign-on using SAML as an authentication scheme (SAML SSO). For more information on this type of configuration, see Configure single sign-on with SAML in the Splunk documentation.

Detections

None

Severity

Splunk rated the vulnerability as High, 7.7 with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H.

If the Splunk Enterprise instance does not use SAML SSO for authentication, there is no impact and the severity is Informational.

Acknowledgments

Vikram Ashtaputre, Splunk