________________________________________________________________________
Product: Splunk 4.3.x (+ possibly earlier versions)
Vulnerability: Unauth. remote denial of service against splunkweb
Tracking IDs: CVE-2012-1150
SPL-53249
___________________________________________________________________________
Vendor communication:
2012/09/03 Reported the issue via Splunk's website
2012/09/04 Splunk responds and assigns tracking ID, plans fix for 5.0.
Replacing the Python version in a maintenance release
(4.3.x)
was considered too risky.
2012/10/25 Splunk informs us that 5.0 will be available on November 1st.
2012/10/29 Splunk 5.0 is released.
___________________________________________________________________________
Overview:
Splunkweb uses Python 2.7.2, which suffers from a vulnerability which allows
an
attacker to produce hash collisions for the hash table string hashing
function.
This leads to an O(n^2) complexity when inserting n keys (see
Description:
An attacker can abuse this vulnerability by sending a POST request to
Splunkweb
(for example to the login form endpoint) with colliding keys. Even a
moderate
amount of POST data leads to a 100% CPU usage for the splunkweb process.
Impact:
Denial of service (CPU exhaustion) against the Splunk server.
Fixes:
This issue has been fixed in Splunk 5.0 by updating the Python version
to 2.7.3 and enabling hash randomization.
________________________________________________________________________
Credits:
Alexander Klink, n.runs AG (discovery)
________________________________________________________________________
References:
This advisory and upcoming advisories:
________________________________________________________________________
