-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2023.3150
     SVD-2023-0603: HTTP Response Splitting via the 'rest' SPL Command
                                2 June 2023

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Splunk Enterprise
                   Splunk Cloud Platform
Publisher:         Splunk
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Resolution:        Patch/Upgrade
CVE Names:         CVE-2023-32708  

Original Bulletin: 
   https://advisory.splunk.com//advisories/SVD-2023-0603

Comment: CVSS (Max):  7.2 CVE-2023-32708 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
         CVSS Source: Splunk
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

HTTP Response Splitting via the 'rest' SPL Command

Advisory ID: SVD-2023-0603

CVE ID: CVE-2023-32708

Published: 2023-06-01

Last Update: 2023-06-01

CVSSv3.1 Score: 7.2, High

CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-113

Bug ID: SPL-235203

Description

A low-privileged user can trigger an HTTP response splitting vulnerability with
the 'rest' SPL command that lets them potentially access other REST endpoints
in the system arbitrarily, including viewing restricted content.

Solution

For Splunk Enterprise, upgrade versions to 9.0.5, 8.2.11, 8.1.14, or higher.

For Splunk Cloud Platform, Splunk is monitoring and patching affected
instances.

Product Status

       Product        Version Component   Affected Version  Fix Version
Splunk Enterprise     8.1     Splunk Web 8.1.0 to 8.1.13    8.1.14
Splunk Enterprise     8.2     Splunk Web 8.2.0 to 8.2.10    8.2.11
Splunk Enterprise     9.0     Splunk Web 9.0.0 to 9.0.4     9.0.5
Splunk Cloud Platform         Splunk Web 9.0.2303 and lower 9.0.2303.100

Mitigations and Workarounds

For Splunk Enterprise, limit the number of searches a process can run by
editing the limits.conf configuration file and giving the
'max_searches_per_process' setting a value of either 1 or 0.

For Splunk Cloud Platform, file a support ticket to adjust this configuration
setting.

Detections

  o Splunk http response splitting via rest SPL command

This detection search provides information about a possible HTTP response
splitting exploitation In Splunk Enterprise versions below 9.0.5, 8.2.11, and
8.1.14.

Severity

Splunk rated the vulnerability as High, 7.2, with a CVSSv3.1 vector of CVSS:3.1
/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.

Acknowledgments

Danylo Dmytriiev (DDV_UA)

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBZHmOSMkNZI30y1K9AQivfRAAlM2Y3D8NH9Ekie0c4NgXcckcezXI8gKF
3zHjY8/s2QlJ/zny9XOq3ZsMehlMQNg/yi3iu+3KKnE28WjALwxfzDUlJzQR+bWO
YzU+StztUH66icgsKIuZ/lDf7a6mHCVtcAcD/GWBZCIWcmJzEQh+lgN95vhiiy70
b2M5upgJMvRQy9JQpz/lzkWq3oixP99Kpxs3Cw04TjYHbUguFM3hoYIq8ZputPJ2
LlF224DM40BNbZfZbWbT44GN4WW63M+fsORyN3PU150Bda1TCIgxdNTEyYqXttIK
EqfaWCUynrKEl/yzIBj6NFvqy7nPngqXHl5mKE3FLgSLIH4VwnBby/1x5q5TRlf1
qbzJ1Alj+lxU9XwFDHWoyhyd5kpoiK+e6W43VA1MD3sKp/ITbSehJi948sMsCkOg
haktzeaurRfiQArBkVXsB7DTiIXQ7eGm6zqUuYn/nFcksqSIUpwcapAm7Bv0u6LI
aX8yLoQVypCZYvoJUCDrpoD8HcJWnJouupAh3cNlfMtNl73f1p3reSHfCqvYwtp5
6Ybb2wAZE9xfr9E+m+uXA89w0Pee47rrVDKJFeFfXR6WkLmLnt1iziLtKiuJcerB
c2pezu/VSWALx4fFLHYGZSAeJIG8d+KYOESd9j7GK5a/9AJmFARbdwGPo5S6poG9
mmyv26mqadY=
=2BLD
-----END PGP SIGNATURE-----