Remote Code Execution via Serialized Session Payload

Advisory ID: SVD-2023-0804

CVE ID: CVE-2023-40595

Published: 2023-08-30

Last Update: 2023-10-18

CVSSv3.1 Score: 8.8, High

CWE: CWE-502

Bug ID: PRODSECOPS-25334

Description

In Splunk Enterprise versions lower than 8.2.12, 9.0.6, and 9.1.1, an attacker can execute a specially crafted query that they can then use to serialize untrusted data. The attacker can use the query to execute arbitrary code.

The exploit requires the use of the collect SPL command which writes a file within the Splunk Enterprise installation. The attacker can then use this file to submit a serialized payload that can result in execution of code within the payload.

Solution

Upgrade Splunk Enterprise to versions 8.2.12, 9.0.6, or 9.1.1.

For Splunk Cloud Platform, Splunk is actively monitoring and patching affected instances.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise8.2Splunk Web8.2.0 to 8.2.118.2.12
Splunk Enterprise9.0Splunk Web9.0.0 to 9.0.59.0.6
Splunk Enterprise9.1Splunk Web9.1.09.1.1
Splunk Cloud-Splunk Web9.0.2305.100 and below9.0.2305.200

Mitigations and Workarounds

If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file in the Splunk documentation for more information on disabling Splunk Web.

Detections

Severity

Splunk rated the vulnerability as High, 8.8, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

If the Splunk Enterprise instance does not run Splunk Web, there is no impact and the severity is Informational.

Acknowledgments

Danylo Dmytriiev (DDV_UA)