Splunk 4.3.x Denial Of Service due to Python vulnerabilit
Reporter | Title | Published | Views | Family All 139 |
---|---|---|---|---|
Prion | Code injection | 5 Oct 201221:55 | β | prion |
Prion | Code injection | 19 May 201414:55 | β | prion |
Tenable Nessus | SuSE 11.1 Security Update : apache2-mod_python (SAT Patch Number 6247) | 25 Jan 201300:00 | β | nessus |
Tenable Nessus | SuSE 10 Security Update : apache2-mod_python (ZYPP Patch Number 8127) | 14 Aug 201200:00 | β | nessus |
Tenable Nessus | Fedora 15 : python3-3.2.3-1.fc15 (2012-5916) (BEAST) | 4 May 201200:00 | β | nessus |
Tenable Nessus | SuSE 10 Security Update : Python (ZYPP Patch Number 8080) (BEAST) | 27 Apr 201200:00 | β | nessus |
Tenable Nessus | Fedora 16 : python3-3.2.3-2.fc16 (2012-9135) (BEAST) | 20 Jun 201200:00 | β | nessus |
Tenable Nessus | CentOS 5 : python (CESA-2012:0745) | 19 Jun 201200:00 | β | nessus |
Tenable Nessus | Fedora 17 : python-2.7.3-3.fc17 / python-docs-2.7.3-1.fc17 (2012-5892) (BEAST) | 2 May 201200:00 | β | nessus |
Tenable Nessus | Fedora 16 : python-2.7.3-1.fc16 / python-docs-2.7.3-1.fc16 (2012-5924) (BEAST) | 7 May 201200:00 | β | nessus |
________________________________________________________________________
Vendors: Splunk Inc., http://www.splunk.com
Product: Splunk 4.3.x (+ possibly earlier versions)
Vulnerability: Unauth. remote denial of service against splunkweb
Tracking IDs: CVE-2012-1150
SPL-53249
___________________________________________________________________________
Vendor communication:
2012/09/03 Reported the issue via Splunk's website
2012/09/04 Splunk responds and assigns tracking ID, plans fix for 5.0.
Replacing the Python version in a maintenance release
(4.3.x)
was considered too risky.
2012/10/25 Splunk informs us that 5.0 will be available on November 1st.
2012/10/29 Splunk 5.0 is released.
___________________________________________________________________________
Overview:
Splunkweb uses Python 2.7.2, which suffers from a vulnerability which allows
an
attacker to produce hash collisions for the hash table string hashing
function.
This leads to an O(n^2) complexity when inserting n keys (see
http://bugs.python.org/issue13703).
Description:
An attacker can abuse this vulnerability by sending a POST request to
Splunkweb
(for example to the login form endpoint) with colliding keys. Even a
moderate
amount of POST data leads to a 100% CPU usage for the splunkweb process.
Impact:
Denial of service (CPU exhaustion) against the Splunk server.
Fixes:
This issue has been fixed in Splunk 5.0 by updating the Python version
to 2.7.3 and enabling hash randomization.
________________________________________________________________________
Credits:
Alexander Klink, n.runs AG (discovery)
________________________________________________________________________
References:
This advisory and upcoming advisories:
http://www.nruns.com/security_advisory.php
________________________________________________________________________
# 0day.today [2018-04-03] #
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. ContactΒ us for a demo andΒ discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo