Third-Party Package Updates in Splunk Universal Forwarder - June 2025
Advisory ID: SVD-2025-0604
CVE ID: Multiple
Published: 2025-06-02
Last Update: 2025-06-04
Description
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Universal Forwarder version 9.4.2, including the following:
Package | Remediation | CVE | Severity |
---|---|---|---|
golang1 | Upgraded to v1.22.11 | Multiple | Critical |
golang.org/x/crypto2 | Removed traefik binary | Multiple | High |
golang.org/x/crypto3 | Upgraded to v0.32.0 | CVE-2024-45337 | Critical |
postgres4 | Removed postgres binary | Multiple | High |
go://golang.org/x/net5 | Upgraded to v0.34.0 | CVE-2024-45338 | Medium |
go://github.com/quic-go/quic-go6 | Removed traefik binary | CVE-2024-53259 | Medium |
go://gopkg.in/square/go-jose.v27 | Removed traefik binary | CVE-2024-28180 | Medium |
1 Upgraded golang to v1.22.11 in etc, etcdctl, and etcdutl binaries to remedy CVE-2024-24789 and CVE-2024-24790. The etc, etcdctl, and etcdutl binaries are not present in versions 9.1.x, 9.2.x, and 9.3.x.
2 traefik package is removed from the $SPLUNK_HOME/bin directory to remedy CVE-2024-45337 and CVE-2025-22869. Upgrading to the fixed versions does not automatically remove the previous traefik binary from your system. To remove it manually, run the following command from a shell prompt: cd $SPLUNK_HOME/bin && rm traefik. NOTE: Removing the traefik binary from your system will not affect other functionality, as it is not used anywhere in the product. The traefik binary is not present in versions 9.1.x, 9.2.x, and 9.3.x.
3 Upgraded golang.org/x/crypto to v0.32.0 in the etc, etcdctl, and etcdutl binaries to remedy CVE-2024-45337. The etc, etcdctl, and etcdutl binaries are not present in 9.1.x, 9.2.x and 9.3.x versions.
4 postgres package is removed from the $SPLUNK_HOME/bin directory. Upgrading to the fixed versions does not automatically remove the previous postgres binary from your system. To remove it manually, run the following command from a shell prompt: cd $SPLUNK_HOME/bin && rm postgres. NOTE: Removing the postgres binary from your system will not affect other functionality, as it is not used anywhere in the product. The postgres binary is not present in versions 9.1.x, 9.2.x, and 9.3.x.
5 Upgraded go://golang.org/x/net to v0.34.0 in etc, etcdctl, and etcdutl binaries to remedy CVE-2024-45338. The etc, etcdctl, and etcdutl binaries are not present in versions 9.1.x, 9.2.x, and 9.3.x.
6 traefik package is removed from the $SPLUNK_HOME/bin directory to remedy CVE-2024-45337 and CVE-2025-22869. Upgrading to the fixed versions does not automatically remove the previous traefik binary from your system. To remove it manually, run the following command from a shell prompt: cd $SPLUNK_HOME/bin && rm traefik. NOTE: Removing the traefik binary from your system will not affect other functionality, as it is not used anywhere in the product. The traefik binary is not present in versions 9.1.x, 9.2.x, and 9.3.x.
7 traefik package is removed from the $SPLUNK_HOME/bin directory to remedy CVE-2024-45337 and CVE-2025-22869. Upgrading to the fixed versions does not automatically remove the previous traefik binary from your system. To remove it manually, run the following command from a shell prompt: cd $SPLUNK_HOME/bin && rm traefik. NOTE: Removing the traefik binary from your system will not affect other functionality, as it is not used anywhere in the product. The traefik binary is not present in versions 9.1.x, 9.2.x, and 9.3.x.
Solution
Upgrade Splunk Universal Forwarder to versions 9.4.2, 9.3.4, 9.2.6, 9.1.9, or higher.
Product Status
Product | Base Version | Component | Affected Version | Fix Version |
---|---|---|---|---|
Splunk Universal Forwarder | 9.4 | 9.4.0 to 9.4.1 | 9.4.2 | |
Splunk Universal Forwarder | 9.3 | Not affected | ||
Splunk Universal Forwarder | 9.2 | Not affected | ||
Splunk Universal Forwarder | 9.1 | Not affected |
Severity
For the CVEs in this list, Splunk adopted the vendor’s severity rating or the National Vulnerability Database (NVD) common vulnerability scoring system (CVSS) rating, as available.
Changelog
- 2025-06-04: Updated the list of affected versions in the security advisory