Splunk Enterprise 126.96.36.199/7.0.1, 188.8.131.52/6.6.4, 6.5.6, 6.4.9 and 6.3.12 address multiple SAML vulnerabilities
Table of Contents
Splunk Enterprise 184.108.40.206/7.0.1, 220.127.116.11/6.6.4, 6.5.6, 6.4.9 and 6.3.12 address multiple SAML vulnerabilities.
Please note, as of 2017-Nov-14, all affected Splunk Cloud customers have been updated.
At the time of this announcement, Splunk is not aware of any cases where these vulnerabilities have been actively exploited. Previous Product Security Announcements can be found on our Splunk Product Security Portal. Use SPL numbers when referencing issues in communication with Splunk. If there is no Common Vulnerabilities and Exposures (CVE) identifier listed with a vulnerability, it will be added once it is assigned by a CVE Numbering Authority. To standardize the calculation of severity scores for each vulnerability, when appropriate, Splunk uses Common Vulnerability Scoring System version 2 (CVSS v2).
Affected Products and Components
- Affected Product Versions: Splunk Enterprise versions 7.0.x before 18.104.22.168/7.0.1, 6.6.x before 22.214.171.124/6.6.4, 6.5.x before 6.5.6, 6.4.x before 6.4.9, 6.3.x before 6.3.12. All Splunk cloud instances using SAML have been updated to 126.96.36.199.
- Affected Components: All Splunk Enterprise components running Splunk Web with SAML authentication enabled.
- Unaffected Components: Universal Forwarders and Splunk Enterprise instances where Splunk Web is disabled or not using SAML authentication.
Mitigation and Upgrades
1. Check if you are running one of the following Splunk Enterprise versions
- 7.0.x before 188.8.131.52/7.0.1
- 6.6.x before 184.108.40.206/6.6.4
- 6.5.x before 6.5.6
- 6.4.x before 6.4.9
- 6.3.x before 6.3.12
2. Check if you have SAML login enabled.
$SPLUNK_HOME/bin/splunk btool authentication list | grep authType
$SPLUNK_HOME\bin\splunk btool authentication list | find "authType"
If 'authType' contains the word 'SAML', then this indicates a vulnerable configuration of Splunk and should be patched immediately.
For more information, see the SAML Troubleshooting documentation.
To mitigate this issue, Splunk recommends upgrading to one of the latest releases and applying as many of the Hardening Standards from the Securing Splunk documentation as are relevant to your environment. Splunk Enterprise releases are cumulative, meaning that future releases will contain fixes to these vulnerabilities, new features and other bug fixes.
Vulnerability Descriptions and Ratings
Multiple SAML implementation vulnerabilities in Splunk Enterprise (CVE-2017-17067)
Description: Splunk Enterprise versions 7.0.x before 220.127.116.11/7.0.1, 6.6.x before 18.104.22.168/6.6.4, 6.5.x before 6.5.6, 6.4.x before 6.4.9, 6.3.x before 6.3.12 are vulnerable to multiple SAML vulnerabilities. The most severe of these vulnerabilities can permit an unauthenticated attacker access to a SAML-enabled Splunk Web or permit an authenticated user to impersonate another user or role.
Credits: Splunk would like to thank Jacob Honoroff for reporting a portion of this issue.
CVSS Severity (version 2.0):
|CVSS Base Score||10.0|
|CVSS Impact Subscore||10.0|
|CVSS Exploitability Subscore||10.0|
|Overall CVSS Score||10.0|