Denial of Service (DoS) on the datamodel/web REST endpoint
Advisory ID: SVD-2024-0710
CVE ID: CVE-2024-36990
Published: 2024-07-01
Last Update: 2024-07-01
CVSSv3.1 Score: 6.5, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-835
Bug ID: VULN-15235
Description
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.2.2403.100, an authenticated, low-privileged user that does not hold the “admin” or “power” Splunk roles could send a specially crafted HTTP POST request to the datamodel/web REST endpoint in Splunk Enterprise, potentially causing a denial of service.
The DoS could result from a condition where a data model definition contains a cyclic dependency. That dependency could lead to an infinite loop, which leads to a stack overflow and the subsequent crash of the Splunk daemon.
Solution
Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.
Splunk is performing upgrades on Splunk Cloud Platform instances as part of Routine Maintenance for customers, as described in the Splunk Cloud Platform Maintenance Policy. In the meantime, Splunk is actively monitoring for potential issues that could arise from this vulnerability.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 9.2 | REST API | 9.2.0 to 9.2.1 | 9.2.2 |
| Splunk Enterprise | 9.1 | REST API | 9.1.0 to 9.1.4 | 9.1.5 |
| Splunk Enterprise | 9.0 | REST API | 9.0.0 to 9.0.9 | 9.0.10 |
| Splunk Cloud Platform | 9.1.2312 | REST API | 9.1.2312.200 to 9.1.2312.201 | 9.1.2312.202 |
| Splunk Cloud Platform | 9.1.2312 | REST API | 9.1.2312.100 to 9.1.2312.108 | 9.1.2312.109 |
| Splunk Cloud Platform | 9.1.2308 | REST API | Below 9.1.2308.208 | 9.1.2308.209 |
Mitigations and Workarounds
None
Detections
Severity
Splunk rates this vulnerability as 6.5, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.
Acknowledgments
Anton (therceman)