Denial of Service (DoS) via the ‘printf’ Search Function
Advisory ID: SVD-2023-0803
CVE ID: CVE-2023-40594
Published: 2023-08-30
Last Update: 2023-10-18
CVSSv3.1 Score: 6.5, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
CWE: CWE-400
Bug ID: SPL-235294
Description
In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can use the ‘printf’ SPL function to perform a denial of service (DoS) against the Splunk Enterprise instance through a crash of the Splunk daemon.
The printf function does not properly validate expressions in certain cases in combination with commands like fieldformat that occur earlier in the search pipeline. This failure to validate results in a crash of the Splunk daemon and the subsequent DoS.
Solution
Upgrade Splunk Enterprise to versions 8.2.12, 9.0.6, or 9.1.1.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 8.2 | Splunk Web | 8.2.0 to 8.2.11 | 8.2.12 |
| Splunk Enterprise | 9.0 | Splunk Web | 9.0.0 to 9.0.5 | 9.0.6 |
| Splunk Enterprise | 9.1 | Splunk Web | 9.1.0 | 9.1.1 |
| Splunk Cloud | - | Splunk Web | 9.0.2209 and lower | 9.0.2303.100 |
Mitigations and Workarounds
If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file in the Splunk documentation for more information on disabling Splunk Web.
Detections
Severity
Splunk has rated this vulnerability as 6.5, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Acknowledgments
Danylo Dmytriiev (DDV_UA)