Third-Party Package Updates in Splunk Enterprise - January 2024
Advisory ID: SVD-2024-0109
CVE ID: Multiple
Published: 2024-01-22
Last Update: 2024-01-26
Description
Splunk remedied common vulnerabilities and exposures (CVEs) in Third-Party Packages in Splunk Enterprise versions 9.0.8 and 9.1.3, including the following:
| Package | Remediation | CVE | Severity |
|---|---|---|---|
| golang, in Splunk Assist | Upgraded golang from 1.20.7 to 1.20.10 | Multiple* | See vendor |
| golang, in mongodump and mongorestore | Upgraded golang from 1.19** to 1.20.10 | Multiple* | See vendor |
| future, Python 3, in Upgrade Readiness App | Upgraded to 0.18.3 | CVE-2022-40899 | High |
| future, Python 2, in Upgrade Readiness App | Upgraded to 0.18.3 | CVE-2022-40899 | High |
| certifi | Patched*** | CVE-2023-37920 | Low |
*For more information on the vulnerabilities impacting older golang versions, please refer to the vendor’s Release History.
**Splunk upgraded from a version of mongodump and mongorestore using golang 1.19.8 in Darwin builds, golang 1.19.9 in Windows builds, and golang 1.19.10 in Linux builds to golang 1.20.10.
***Splunk patched certifi at $SPLUNK_HOME/lib/python3.7/site-packages/certifi by backporting the cacert.pem from 2023.07.22 to 2019.6.16.
Solution
Upgrade Splunk Enterprise to version 9.0.8, 9.1.3, or higher.
As an alternative to updating, if you’re not using the Upgrade Readiness App (URA), you may disable or uninstall the app to remediate both CVE-2022-40899s. See Manage app and add-on objects for help.
As an alternative to updating, if you’re not using the Splunk Assist app, you may disable or uninstall the app to remediate the golang vulnerabilities in Splunk Assist. See Manage app and add-on objects for help.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 9.0 | - | 9.0.0 to 9.0.7 | 9.0.8 |
| Splunk Enterprise | 9.1 | - | 9.1.0 to 9.1.2 | 9.1.3 |
Severity
For CVE-2022-40899, Splunk adopted NVD’s severity rating.
For CVE-2023-37920, Splunk adopted the vendor’s severity rating. Please refer to GHSA-xqr8-7jwr-rhp7 for more information.
For more information on the vulnerabilities impacting older golang versions, please refer to the vendor’s Release History for the individual issues.
Changelog
- 2023-01-26: Updated and simplified OSS table. Updated Severity section with clarifications to match updates to oss table. Moved certifi clarifications under the table. Added additional solutions concerning the URA and Splunk Assist apps. Replaced mongotools with mongodump and mongorestore (Splunk does not ship all mongotool packages). Added clarification around updates to golang for mongorestore, mongodump, and Splunk Assist. Referred to the vendor for the list and severities for golang vulnerabilities.