High-Risk Splunk Enterprise RCE Vulnerability (CVE-2023-46214): PoC Exploit Released

An independent cybersecurity researcher has released a Proof-of-Concept (PoC) exploit for the RCE vulnerability CVE-2023-46214 in the widely used data monitoring and analysis system Splunk, specifically in its corporate product, Enterprise. This exploit enables remote execution of arbitrary code on vulnerable servers, earning the vulnerability a high danger level (8.8 points on the CVSS scale).

Splunk Enterprise serves as a comprehensive solution for collecting and analyzing a myriad of data generated by an organization’s infrastructure and business applications. This data is then utilized to derive valuable analytical insights, aiding in the enhancement of security systems, compliance requirements, application delivery, IT operations, and other business aspects.

Splunk boasts an impressive roster of hundreds of global clients, including prominent names like Intel, Lenovo, Zoom, Bosch, Coca-Cola, Papa Johns, Honda, Puma, and others.

The CVE-2023-46214 vulnerability stems from improper filtering of the Extensible Stylesheet Language Transformations (XSLT), which Splunk users can upload. This flaw potentially allows malefactors to inject malicious XSLT code, leading to remote code execution on the Splunk Enterprise server.

According to information from Splunk developers, the vulnerability affects versions from 9.0.0 to 9.0.6 and from 9.1.0 to 9.1.1. Also impacted are Splunk Enterprise 8.x versions and the Splunk Cloud service below version 9.1.2308.

The security researcher who published the exploit detailed the vulnerability extensively in a separate report. As per the findings, launching an attack requires prior authentication in the system (knowledge of valid user credentials) and some user actions on the target server.

Splunk developers have already released updates 9.0.7 and 9.1.2, which address the CVE-2023-46214 vulnerability. If immediate updating is not feasible, it is recommended as a temporary measure to disable the uploading of XML styles for search jobs. Furthermore, the Splunk team has provided detailed information about the vulnerability, which may be useful for security specialists.