Third-Party Package Updates in Splunk Enterprise - June 2025
Advisory ID: SVD-2025-0603
CVE ID: Multiple
Published: 2025-06-02
Last Update: 2025-06-04
Description
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise versions 9.4.2, 9.3.4, 9.2.6, 9.1.9, and higher, including the following:
| Package | Remediation | CVE | Severity |
|---|---|---|---|
| golang1 | Upgraded to v1.22.11 | Multiple | Critical |
| golang2 | Upgraded to v1.23.5 | Multiple | High |
| golang3 | Upgraded to v1.23.5 | Multiple | High |
| golang4 | Upgraded to v1.23.5 | Multiple | High |
| golang.org/x/crypto5 | Upgraded to v0.33.0 | Multiple | Critical |
| golang.org/x/crypto6 | Removed traefik binary | Multiple | High |
| golang.org/x/crypto7 | Upgraded to v0.32.0 | CVE-2024-45337 | Critical |
| postgres8 | Removed postgres binary | Multiple | High |
| aws-sdk-java9 | Upgraded to v1.12.261 | CVE-2022-31159 | Medium |
| idna10 | Upgraded to v3.8 | CVE-2024-3651 | Medium |
| go://github.com/Azure/azure-sdk-for-go/sdk/azidentity11 | Upgraded to v1.6.0 | CVE-2024-35255 | Medium |
| go://golang.org/x/net12 | Upgraded to v0.34.0 | CVE-2024-45338 | Medium |
| go://golang.org/x/net13 | Upgraded to v0.35.0 | CVE-2024-45338 | Medium |
| go://github.com/quic-go/quic-go14 | Removed traefik binary | CVE-2024-53259 | Medium |
| go://gopkg.in/square/go-jose.v215 | Removed traefik binary | CVE-2024-28180 | Medium |
1 Upgraded golang to v1.22.11 in etc, etcdctl, and etcdutl binaries to remedy CVE-2024-24789 and CVE-2024-24790. The etc, etcdctl, and etcdutl binaries are not present in versions 9.1.x, 9.2.x, and 9.3.x.
2 Upgraded golang to v1.23.5 in $SPLUNK_HOME/bin/compsup to remedy CVE-2024-34155, CVE-2024-34158. The compsup binary is not present in versions 9.1.x.
3 Upgraded golang to v1.23.5 in mongodump and mongorestore to remedy CVE-2024-24791, CVE-2024-34155, and CVE-2024-34158.
4 Upgraded golang to v1.23.5 in $SPLUNK_HOME/opt/packages/identity to remedy CVE-2024-34155, and CVE-2024-34158 . The identity binary is not present in versions 9.1.x.
5 Upgraded golang.org/x/crypto to v0.33.0 in $SPLUNK_HOME/opt/packages/identity to remedy CVE-2024-45337. The identity binary is not present in versions 9.1.x.
6 traefik package is removed from the $SPLUNK_HOME/bin directory to remedy CVE-2024-45337 and CVE-2025-22869. Upgrading to the fixed versions does not automatically remove the previous traefik binary from your system. To remove it manually, run the following command from a shell prompt: cd $SPLUNK_HOME/bin && rm traefik. NOTE: Removing the traefik binary from your system will not affect other functionality, as it is not used anywhere in the product. The traefik binary is not present in versions 9.1.x, 9.2.x, and 9.3.x.
7 Upgraded golang.org/x/crypto to v0.32.0 in etc, etcdctl, and etcdutl binaries to remedy CVE-2024-45337. The etc, etcdctl, and etcdutl binaries are not present in versions 9.1.x, 9.2.x, and 9.3.x.
8 postgres package is removed from the $SPLUNK_HOME/bin directory. Upgrading to the fixed versions does not automatically remove the previous postgres binary from your system. To remove it manually, run the following command from a shell prompt: cd $SPLUNK_HOME/bin && rm postgres. NOTE: Removing the postgres binary from your system will not affect other functionality, as it is not used anywhere in the product. The postgres binary is not present in versions 9.1.x, 9.2.x, and 9.3.x.
9 Upgraded aws-sdk-java to v1.12.261 to remedy CVE-2022-31159.
10 Upgraded idna to v3.8 in $SPLUNK_HOME/lib/python3.7/site-packages to remedy CVE-2024-3651. Fixed in 9.1.9. Already fixed in 9.4.1, 9.3.3, 9.2.5 - SVD-2025-0308
11 Upgraded go://github.com/Azure/azure-sdk-for-go/sdk/azidentity to v1.6.0 in $SPLUNK_HOME/bin/spl2-orchestrator to remedy CVE-2024-35255. The spl2-orchestrator binary is not present in versions 9.1.x, 9.2.x, and 9.3.x.
12 Upgraded go://golang.org/x/net to v0.34.0 in etc, etcdctl, and etcdutl binaries to remedy CVE-2024-45338. The etc, etcdctl, and etcdutl binaries are not present in versions 9.1.x, 9.2.x, and 9.3.x.
13 Upgraded go://golang.org/x/net to v0.35.0 in $SPLUNK_HOME/opt/packages/identity binaries to remedy CVE-2024-45338.
14 traefik package is removed from the $SPLUNK_HOME/bin directory to remedy CVE-2024-45337 and CVE-2025-22869. Upgrading to the fixed versions does not automatically remove the previous traefik binary from your system. To remove it manually, run the following command from a shell prompt: cd $SPLUNK_HOME/bin && rm traefik. NOTE: Removing the traefik binary from your system will not affect other functionality, as it is not used anywhere in the product. The traefik binary is not present in versions 9.1.x, 9.2.x, and 9.3.x.
15 traefik package is removed from the $SPLUNK_HOME/bin directory to remedy CVE-2024-45337 and CVE-2025-22869. Upgrading to the fixed versions does not automatically remove the previous traefik binary from your system. To remove it manually, run the following command from a shell prompt: cd $SPLUNK_HOME/bin && rm traefik. NOTE: Removing the traefik binary from your system will not affect other functionality, as it is not used anywhere in the product. The traefik binary is not present in versions 9.1.x, 9.2.x, and 9.3.x.
Solution
Upgrade Splunk Enterprise to versions 9.4.2, 9.3.4, 9.2.6, 9.1.9, or higher.
Product Status
| Product | Base Version | Affected Version | Fix Version |
|---|---|---|---|
| Splunk Enterprise | 9.4 | 9.4.0 to 9.4.1 | 9.4.2 |
| Splunk Enterprise | 9.3 | 9.3.0 to 9.3.3 | 9.3.4 |
| Splunk Enterprise | 9.2 | 9.2.0 to 9.2.5 | 9.2.6 |
| Splunk Enterprise | 9.1 | 9.1.0 to 9.1.8 | 9.1.9 |
Severity
For the CVEs in this list, Splunk adopted the vendor’s severity rating or the National Vulnerability Database (NVD) common vulnerability scoring system (CVSS) rating, as available.
Changelog
- 2025-06-04: Updated the list of fix versions in the security advisory