CVE-2023-3997 – CVE-2023-3997 is a log file poisoning vulnerabi... (How to Fix)

Q: What is the severity of CVE-2023-3997?

CVE-2023-3997 has a CVSS score of 8.6 (HIGH). CVE-2023-3997 is a log file poisoning vulnerability in Splunk SOAR where attackers can inject malicious ANSI escape sequences through web requests. When administrators view these poisoned logs in their terminals, it can lead to terminal manipulation and potential code execution. This affects Splunk SOAR versions below 6.1.0.

📋 TL;DR

CVE-2023-3997 is a log file poisoning vulnerability in Splunk SOAR where attackers can inject malicious ANSI escape sequences through web requests. When administrators view these poisoned logs in their terminals, it can lead to terminal manipulation and potential code execution. This affects Splunk SOAR versions below 6.1.0.

💻 Affected Systems

Products:

Splunk SOAR (formerly Phantom)

Versions: All versions below 6.1.0

Operating Systems: All platforms running Splunk SOAR

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is in how Splunk SOAR handles ANSI characters in web requests that get logged.

📦 What is this software?

Soar by Splunk

View all CVEs affecting Soar →

Soar by Splunk

View all CVEs affecting Soar →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution on administrator's workstation through terminal emulator vulnerabilities when viewing logs, potentially leading to full system compromise.

🟠

Likely Case

Terminal manipulation causing unexpected behavior, data corruption, or denial of service on administrator workstations.

🟢

If Mitigated

Limited impact with proper access controls, log sanitization, and terminal security configurations.

🌐 Internet-Facing: MEDIUM - Requires web request to Splunk SOAR, but exploitation depends on administrator viewing logs.

🏢 Internal Only: HIGH - Internal attackers or compromised systems can poison logs that administrators will view.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires ability to send web requests to Splunk SOAR and for administrator to view logs in vulnerable terminal.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.1.0 and later

Vendor Advisory: https://advisory.splunk.com/advisories/SVD-2023-0702

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Upgrade Splunk SOAR to version 6.1.0 or later. 3. Restart Splunk SOAR services. 4. Verify upgrade completed successfully.

🔧 Temporary Workarounds

Filter ANSI escape sequences in logs

linux

Configure log processing to strip or escape ANSI control characters before storage.

sed -r 's/\x1b\[[0-9;]*[a-zA-Z]//g' logfile.log > clean.log

Use secure terminal viewers

all

Configure administrators to use terminal emulators that sanitize or disable ANSI escape sequence execution.

🧯 If You Can't Patch

Restrict web access to Splunk SOAR to trusted sources only
Implement log sanitization pipeline that removes ANSI escape sequences before viewing

🔍 How to Verify

Check if Vulnerable:

Check Splunk SOAR version via admin interface or command: phantom --version

Check Version:

phantom --version

Verify Fix Applied:

Confirm version is 6.1.0 or higher and test log viewing with known ANSI sequences

📡 Detection & Monitoring

Log Indicators:

Unusual ANSI escape sequences in web request logs
Malformed log entries with control characters

Network Indicators:

HTTP requests containing unusual ANSI character sequences to Splunk SOAR endpoints

SIEM Query:

source="splunk_soar_logs" AND ("\x1b[" OR "\033[" OR "\e[")

📊 Metadata

CVE ID: CVE-2023-3997

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-117

Published: July 31, 2023

Last Updated: December 10, 2024

🔗 References

https://advisory.splunk.com/advisories/SVD-2023-0702 Vendor Advisory
https://advisory.splunk.com/advisories/SVD-2023-0702 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-3997, you might also want to check these: