Denial of Service via the 'dump' SPL command
Advisory ID: SVD-2023-0611
CVE ID: CVE-2023-32716
Last Update: 2023-06-01
CVSSv3.1 Score: 6.5, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Bug ID: SPL-235572
An attacker can exploit a vulnerability in the ‘dump’ SPL command to cause a denial of service by crashing the Splunk daemon. If the attacker supplies a longer-than-expected filename with the command, a memory access violation, or segmentation fault, occurs, which results in a crash of the Splunk platform instance.
For Splunk Enterprise, upgrade to versions 9.0.5, 8.2.11, 8.1.14, and higher.
For Splunk Cloud Platform, Splunk is actively monitoring and patching affected instances.
|Product||Version||Component||Affected Version||Fix Version|
|Splunk Enterprise||8.1||Splunk Web||8.1.0 to 8.1.13||8.1.14|
|Splunk Enterprise||8.2||Splunk Web||8.2.0 to 8.2.10||8.2.11|
|Splunk Enterprise||9.0||Splunk Web||9.0.0 to 9.0.4||9.0.5|
|Splunk Cloud Platform||Splunk Web||9.0.2303 and below||9.0.2303.100|
Mitigations and Workarounds
Remove the ‘run_dump’ capability from any roles that users hold.
This hunting detection search provides information about possible denial of service exploitation attempts in Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14.
Splunk rated this vulnerability as Medium, 6.5, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.
Danylo Dmytriiev (DDV_UA)