Splunk version 4.3.x suffers from a denial of service hash table vulnerability.
________________________________________________________________________ Vendors: Splunk Inc., http://www.splunk.com Product: Splunk 4.3.x (+ possibly earlier versions) Vulnerability: Unauth. remote denial of service against splunkweb Tracking IDs: CVE-2012-1150 SPL-53249 ___________________________________________________________________________ Vendor communication: 2012/09/03 Reported the issue via Splunk's website 2012/09/04 Splunk responds and assigns tracking ID, plans fix for 5.0. Replacing the Python version in a maintenance release (4.3.x) was considered too risky. 2012/10/25 Splunk informs us that 5.0 will be available on November 1st. 2012/10/29 Splunk 5.0 is released. ___________________________________________________________________________ Overview: Splunkweb uses Python 2.7.2, which suffers from a vulnerability which allows an attacker to produce hash collisions for the hash table string hashing function. This leads to an O(n^2) complexity when inserting n keys (see http://bugs.python.org/issue13703). Description: An attacker can abuse this vulnerability by sending a POST request to Splunkweb (for example to the login form endpoint) with colliding keys. Even a moderate amount of POST data leads to a 100% CPU usage for the splunkweb process. Impact: Denial of service (CPU exhaustion) against the Splunk server. Fixes: This issue has been fixed in Splunk 5.0 by updating the Python version to 2.7.3 and enabling hash randomization. ________________________________________________________________________ Credits: Alexander Klink, n.runs AG (discovery) ________________________________________________________________________ References: This advisory and upcoming advisories: http://www.nruns.com/security_advisory.php ________________________________________________________________________ # 0day.today [2018-04-03] #