WARNING: VULNERABILITY IN SPLUNK ENTERPRISE CAN LEAD TO REMOTE CODE EXECUTION (RCE), PATCH IMMEDIATELY

Reference:
Advisory #2023-138

Version:
1.0

Affected software:
Splunk Enterprise versions before 9.0.7
Splunk Enterprise versions before 9.1.2

Type:
Insecure XML Parsing

CVE/CVSS:
CVE-2023-46214
CVSS: 8.0 (HIGH) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H)

Sources

• https://nvd.nist.gov/vuln/detail/CVE-2023-46214

• https://advisory.splunk.com/

Risks

Exploitation of CVE-2023-46214 can lead to remote code execution (RCE) through insecure XML parsing.

Said vulnerability is actively discussed and referenced in forums and platforms.  Proof of concept exploit(s) exist(s).  A compromise could have high impact on confidentiality, integrity and availability.

Splunk offers a solution to mitigate the risk.

Description

Splunk Enterprise does not safely sanitize extensible stylesheet language transformations (XSLT) supplied by users.  An attacker could upload a malicious XSLT which could result in remote code execution (RCE) on the Splunk Enterprise instance.

Recommended Actions

The Centre for Cyber Security Belgium (CCB) strongly recommends to follow Splunk's advisory to upgrade to Splunk Enterprise 9.0.7 or 9.1.2.

References

• https://advisory.splunk.com/advisories/SVD-2023-1104
• https://research.splunk.com/application/a053e6a6-2146-483a-9798-2d43652f3299/