Denial of Service (DoS) via the ‘printf’ Search Function
Advisory ID: SVD-2023-0803
CVE ID: CVE-2023-40594
Last Update: 2023-08-30
CVSSv3.1 Score: 6.5, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Bug ID: SPL-235294
In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can use the ‘printf’ SPL function to perform a denial of service (DoS) against the Splunk Enterprise instance through a crash of the Splunk daemon.
printf function does not properly validate expressions in certain cases in combination with commands like
fieldformat that occur earlier in the search pipeline. This failure to validate results in a crash of the Splunk daemon and the subsequent DoS.
Upgrade Splunk Enterprise to versions 8.2.12, 9.0.6, or 9.1.1.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
|Product||Version||Component||Affected Version||Fix Version|
|Splunk Enterprise||8.2||Splunk Web||8.2.0 to 8.2.11||8.2.12|
|Splunk Enterprise||9.0||Splunk Web||9.0.0 to 9.0.5||9.0.6|
|Splunk Enterprise||9.1||Splunk Web||9.1.0||9.1.1|
|Splunk Cloud||-||Splunk Web||9.0.2305.100 and below||9.0.2305.200|
Mitigations and Workarounds
If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file in the Splunk documentation for more information on disabling Splunk Web.
Splunk has rated this vulnerability as 6.5, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Danylo Dmytriiev (DDV_UA)