Denial of Service via the 'dump' SPL command
Advisory ID: SVD-2023-0611
CVE ID: CVE-2023-32716
Published: 2023-06-01
Last Update: 2023-06-01
CVSSv3.1 Score: 6.5, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-754
Bug ID: SPL-235572
Description
An attacker can exploit a vulnerability in the ‘dump’ SPL command to cause a denial of service by crashing the Splunk daemon. If the attacker supplies a longer-than-expected filename with the command, a memory access violation, or segmentation fault, occurs, which results in a crash of the Splunk platform instance.
Solution
For Splunk Enterprise, upgrade to versions 9.0.5, 8.2.11, 8.1.14, and higher.
For Splunk Cloud Platform, Splunk is actively monitoring and patching affected instances.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 8.1 | Splunk Web | 8.1.0 to 8.1.13 | 8.1.14 |
| Splunk Enterprise | 8.2 | Splunk Web | 8.2.0 to 8.2.10 | 8.2.11 |
| Splunk Enterprise | 9.0 | Splunk Web | 9.0.0 to 9.0.4 | 9.0.5 |
| Splunk Cloud Platform | Splunk Web | 9.0.2303 and below | 9.0.2303.100 |
Mitigations and Workarounds
Remove the ‘run_dump’ capability from any roles that users hold.
Detections
This hunting detection search provides information about possible denial of service exploitation attempts in Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14.
Severity
Splunk rated this vulnerability as Medium, 6.5, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.
Acknowledgments
Danylo Dmytriiev (DDV_UA)