Denial of Service (DoS) in Splunk Enterprise Using a Malformed SAML Request

Advisory ID: SVD-2023-0802

CVE ID: CVE-2023-40593

Published: 2023-08-30

Last Update: 2023-10-18

CVSSv3.1 Score: 6.3, Medium

CWE: CWE-400

Bug ID: SPL-219455

Description

In Splunk Enterprise versions lower than 9.0.6, and 8.2.12, an attacker can send a malformed security assertion markup language (SAML) request to the /saml/acs REST endpoint which can cause a denial of service through a crash or hang of the Splunk daemon.

The SAML extensible markup language (XML) parser does not fail SAML signature validation when the attacker modifies the URI in the SAML request. Instead it attempts to access the modified URI, which causes the Splunk daemon to crash or hang.

Solution

Upgrade Splunk Enterprise to versions 8.2.12 and 9.0.6. This vulnerability does not affect Splunk Enterprise versions 9.1.0 and higher.

Splunk is actively monitoring and patching Splunk Cloud Platform instances.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise8.2Splunk Web8.2.0 to 8.2.118.2.12
Splunk Enterprise9.0Splunk Web9.0.0 to 9.0.59.0.6
Splunk Cloud-Splunk Web8.2.22039.0.2205

Mitigations and Workarounds

Disable single sign-on using SAML as an authentication scheme (SAML SSO). For more information on this type of configuration, see Configure single sign-on with SAML in the Splunk documentation.

Detections

Severity

Splunk rates this vulnerability as 6.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H.

If your Splunk Enterprise Instance does not use SAML as an authentication scheme for SSO, it is not affected and this vulnerability can be considered informational.

Acknowledgments

Aaron Devaney (Dodekeract)

Changelog

  • 2023-10-18: Added additional mitigations and specified that if your installation does not run SAML for SSO, this vulnerability can be considered informational