Denial of Service (DoS) via the ‘printf’ Search Function

Advisory ID: SVD-2023-0803

CVE ID: CVE-2023-40594

Published: 2023-08-30

Last Update: 2023-10-18

CVSSv3.1 Score: 6.5, Medium

CWE: CWE-400

Bug ID: SPL-235294

Description

In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can use the ‘printf’ SPL function to perform a denial of service (DoS) against the Splunk Enterprise instance through a crash of the Splunk daemon.

The printf function does not properly validate expressions in certain cases in combination with commands like fieldformat that occur earlier in the search pipeline. This failure to validate results in a crash of the Splunk daemon and the subsequent DoS.

Solution

Upgrade Splunk Enterprise to versions 8.2.12, 9.0.6, or 9.1.1.

Splunk is actively monitoring and patching Splunk Cloud Platform instances.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise8.2Splunk Web8.2.0 to 8.2.118.2.12
Splunk Enterprise9.0Splunk Web9.0.0 to 9.0.59.0.6
Splunk Enterprise9.1Splunk Web9.1.09.1.1
Splunk Cloud-Splunk Web9.0.2209 and lower9.0.2303.100

Mitigations and Workarounds

If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file in the Splunk documentation for more information on disabling Splunk Web.

Detections

Severity

Splunk has rated this vulnerability as 6.5, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

Acknowledgments

Danylo Dmytriiev (DDV_UA)