Login Sign Up

CVE-2023-40595

8.8 HIGH
Remote Code Execution Deserialization

📋 TL;DR

This vulnerability in Splunk Enterprise allows attackers to execute arbitrary code by crafting malicious queries that exploit insecure deserialization. It affects Splunk Enterprise versions before 8.2.12, 9.0.6, and 9.1.1. Organizations using vulnerable versions are at risk of complete system compromise.

💻 Affected Systems

Products:
  • Splunk Enterprise
Versions: Versions lower than 8.2.12, 9.0.6, and 9.1.1
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments with vulnerable versions are affected regardless of configuration.

📦 What is this software?

Splunk by Splunk

View all CVEs affecting Splunk →

Splunk by Splunk

View all CVEs affecting Splunk →

Splunk by Splunk

View all CVEs affecting Splunk →

Splunk Cloud Platform by Splunk

View all CVEs affecting Splunk Cloud Platform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with administrative privileges, data exfiltration, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Unauthorized data access, privilege escalation, and installation of malware or cryptocurrency miners.

🟢

If Mitigated

Limited impact due to network segmentation, minimal user privileges, and proper monitoring detecting exploitation attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access to Splunk, but the technical complexity is low once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.2.12, 9.0.6, or 9.1.1

Vendor Advisory: https://advisory.splunk.com/advisories/SVD-2023-0804

Restart Required: Yes

Instructions:

1. Download the appropriate patched version from Splunk's website. 2. Backup your Splunk configuration and data. 3. Stop Splunk services. 4. Install the update following Splunk's upgrade documentation. 5. Restart Splunk services. 6. Verify the update was successful.

🔧 Temporary Workarounds

Restrict Splunk Query Access

all

Limit which users can execute queries to only trusted administrators.

Network Segmentation

all

Isolate Splunk servers from critical systems and restrict inbound connections.

🧯 If You Can't Patch

  • Implement strict access controls and limit Splunk to trusted users only.
  • Deploy network monitoring and intrusion detection systems to detect exploitation attempts.

🔍 How to Verify

Check if Vulnerable:

Check Splunk version via web interface or command line. If version is below 8.2.12, 9.0.6, or 9.1.1, the system is vulnerable.

Check Version:

On Splunk server: /opt/splunk/bin/splunk version

Verify Fix Applied:

After patching, verify the version is 8.2.12, 9.0.6, or 9.1.1 or higher.

📡 Detection & Monitoring

Log Indicators:

  • Unusual query patterns, unexpected process execution, or privilege escalation attempts in Splunk audit logs.

Network Indicators:

  • Unexpected outbound connections from Splunk servers, especially to suspicious IPs.

SIEM Query:

index=_audit sourcetype=splunkd_access (query="*" OR search="*") | stats count by user, query

📊 Metadata

CVE ID: CVE-2023-40595
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-502
Published: August 30, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-40595, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)
CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)
CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)