Mitigation and Upgrades
1. Check if you are running one of the following Splunk Enterprise versions
- 7.0.x before 18.104.22.168/7.0.1
- 6.6.x before 22.214.171.124/6.6.4
- 6.5.x before 6.5.6
- 6.4.x before 6.4.9
- 6.3.x before 6.3.12
2. Check if you have SAML login enabled.
$SPLUNK_HOME/bin/splunk btool authentication list | grep authType
$SPLUNK_HOME\bin\splunk btool authentication list | find "authType"
If 'authType' contains the word 'SAML', then this indicates a vulnerable configuration of Splunk and should be patched immediately.
For more information, see the SAML Troubleshooting documentation.
To mitigate this issue, Splunk recommends upgrading to one of the latest releases and applying as many of the Hardening Standards from the Securing Splunk documentation as are relevant to your environment. Splunk Enterprise releases are cumulative, meaning that future releases will contain fixes to these vulnerabilities, new features and other bug fixes.