Splunk Enterprise and Cloud Platform Denial-of-Service Vulnerability via LDAP Bind Requests

A denial-of-service vulnerability has been identified in Splunk Enterprise versions prior to 10.0.1, 9.4.4, 9.3.6, and 9.2.8, as well as in Splunk Cloud Platform versions prior to 9.3.2411.108, 9.3.2408.118, and 9.2.2406.123. The issue arises when a user with a role that includes the high-privilege capability 'change_authentication' sends multiple LDAP bind requests to a specific internal endpoint. This behavior leads to excessive CPU usage on the server, potentially causing a denial-of-service condition that persists until the Splunk Enterprise instance is restarted.

Impact

Exploitation of this vulnerability causes high CPU usage on the server, leading to a denial-of-service condition that requires a restart of the Splunk Enterprise instance to resolve.

Remediation

Users are advised to upgrade Splunk Enterprise to versions 10.0.1, 9.4.4, 9.3.6, 9.2.8, or higher. For Splunk Cloud Platform instances, no action is needed as Splunk is actively monitoring and patching these versions. If an upgrade is not possible, the high-privilege capability 'change_authentication' can be removed from the user's role. Additionally, turning off Splunk Web can serve as a workaround.