-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2023.3142
       SVD-2023-0601: Denial Of Service due to Untrusted XML Tag in
                  XML Parser within  SAML Authentication
                                2 June 2023

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Splunk Enterprise
                   Splunk Cloud Platform
Publisher:         Splunk
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Resolution:        Patch/Upgrade
CVE Names:         CVE-2023-32706  

Original Bulletin: 
   https://advisory.splunk.com//advisories/SVD-2023-0601

Comment: CVSS (Max):  7.7 CVE-2023-32706 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)
         CVSS Source: Splunk
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

Denial Of Service due to Untrusted XML Tag in XML Parser within SAML
Authentication

Advisory ID: SVD-2023-0601

CVE ID: CVE-2023-32706

Published: 2023-06-01

Last Update: 2023-06-01

CVSSv3.1 Score: 7.7, High

CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

CWE: CWE-611

Bug ID: SPL-224292

Description

An unauthenticated attacker can send specially-crafted messages to the XML
parser within SAML authentication to cause a denial of service in the Splunk
daemon. This happens when an incorrectly configured XML parser receives XML
input that contains a reference to an entity expansion. Many recursive
references to entity expansions can cause the XML parser to use all available
memory on the machine, causing the Splunk daemon to crash or be terminated by
the operating system.

Solution

For Splunk Enterprise, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher.

For Splunk Cloud Platform, Splunk is actively patching and monitoring the
Splunk Cloud instances.

Product Status

      Product             Version      Component  Affected Version Fix Version
Splunk Enterprise    8.1               Splunk Web 8.1.0 to 8.1.13  8.1.14
Splunk Enterprise    8.2               Splunk Web 8.2.0 to 8.2.10  8.2.11
Splunk Enterprise    9.0               Splunk Web 9.0.0 to 9.0.4   9.0.5
Splunk Cloud         9.0.2303 and      Splunk Web                  9.0.2303.100
Platform             below

Mitigations and Workarounds

Disable single sign-on using SAML as an authentication scheme (SAML SSO). For
more information on this type of configuration, see Configure single sign-on
with SAML in the Splunk documentation.

Detections

None

Severity

Splunk rated the vulnerability as High, 7.7 with a CVSSv3.1 vector of CVSS:3.1/
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H.

If the Splunk Enterprise instance does not use SAML SSO for authentication,
there is no impact and the severity is Informational.

Acknowledgments

Vikram Ashtaputre, Splunk

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBZHmFxskNZI30y1K9AQifsxAApSc+1Za1VEGXq89//N0TYp8lY+DHb2dh
x0H7JjtVf1KIs58jN8L5e3wz4lf5BvIj6PD3zLGiNDeBaIKk6QdmZgSvVcb1OZa9
wwaPd4IWOvk7h3ttqkC+SXyEA1fXSv9ZfeRSKTXtpuFOuFPWraPSg7qL9K6f7JKp
UFHl+efH727L4BeAV0qC+W7Nl04Wcy3uBKUmK5ebXoO4lxJISy0fWLvvWTTOD8Au
c9TJha1KtyJaKN2lc/frxfbFymtY6dPC69ibaDAuMUZZH62pb8Dr1QDNrWwWZpKW
aVP6ia46qwSg4mxcEaw6qBPPZuahj8bta8JDcDFNbifPMlWPuCgEqpd9h68+xoAp
IQ9qT3xj8OsBpGBsLs89mvRdBBuX/DKeTAadgagPhQgSW9ls6kqKyW37smxPfG27
UZDUF7w8Ia0IDW+hgPdEzkBgxnMGTL860e9YBF2d75iohM7HgSF9RbdcnrsSrf6n
B/qzhhfw1VDThuzeq9p+1aHBQmbnOImC/cwqLNiFQtFNwLRMy2eptJ1FwNyivk9o
qQ6gMafvnf6S5FuWR9qqCPjof9teJJ5wVsJZb92YmVWcwaluqonbVdcLKSfgUa3n
W1snQSuDAX+r+tn+hLQfRjC3gjFVPozFBcJ8uTU8Ll65XlcR697y7PRM9egpAdUB
nD7T+rjCYVs=
=JNg1
-----END PGP SIGNATURE-----