Third-Party Package Updates in Splunk Universal Forwarder - June 2025

Description

Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Universal Forwarder version 9.4.2, including the following:

₁ Upgraded golang to v1.22.11 in etc, etcdctl, and etcdutl binaries to remedy CVE-2024-24789 and CVE-2024-24790. The etc, etcdctl, and etcdutl binaries are not present in versions 9.1.x, 9.2.x, and 9.3.x.

₂ traefik package is removed from the $SPLUNK_HOME/bin directory to remedy CVE-2024-45337 and CVE-2025-22869. Upgrading to the fixed versions does not automatically remove the previous traefik binary from your system. To remove it manually, run the following command from a shell prompt: cd $SPLUNK_HOME/bin && rm traefik. NOTE: Removing the traefik binary from your system will not affect other functionality, as it is not used anywhere in the product. The traefik binary is not present in versions 9.1.x, 9.2.x, and 9.3.x.

₃ Upgraded golang.org/x/crypto to v0.32.0 in the etc, etcdctl, and etcdutl binaries to remedy CVE-2024-45337. The etc, etcdctl, and etcdutl binaries are not present in 9.1.x, 9.2.x and 9.3.x versions.

₄ postgres package is removed from the $SPLUNK_HOME/bin directory to remedy CVE-2023-5869, CVE-2024-7348, CVE-2024-10979, and CVE-2025-1094. Upgrading to the fixed versions does not automatically remove the previous postgres binary from your system. To remove it manually, run the following command from a shell prompt: cd $SPLUNK_HOME/bin && rm postgres. NOTE: Removing the postgres binary from your system will not affect other functionality, as it is not used anywhere in the product. The postgres binary is not present in versions 9.1.x, 9.2.x, and 9.3.x.

₅ Upgraded go://golang.org/x/net to v0.34.0 in etc, etcdctl, and etcdutl binaries to remedy CVE-2024-45338. The etc, etcdctl, and etcdutl binaries are not present in versions 9.1.x, 9.2.x, and 9.3.x.

₆ traefik package is removed from the $SPLUNK_HOME/bin directory to remedy CVE-2024-45337 and CVE-2025-22869. Upgrading to the fixed versions does not automatically remove the previous traefik binary from your system. To remove it manually, run the following command from a shell prompt: cd $SPLUNK_HOME/bin && rm traefik. NOTE: Removing the traefik binary from your system will not affect other functionality, as it is not used anywhere in the product. The traefik binary is not present in versions 9.1.x, 9.2.x, and 9.3.x.

₇ traefik package is removed from the $SPLUNK_HOME/bin directory to remedy CVE-2024-45337 and CVE-2025-22869. Upgrading to the fixed versions does not automatically remove the previous traefik binary from your system. To remove it manually, run the following command from a shell prompt: cd $SPLUNK_HOME/bin && rm traefik. NOTE: Removing the traefik binary from your system will not affect other functionality, as it is not used anywhere in the product. The traefik binary is not present in versions 9.1.x, 9.2.x, and 9.3.x.

Solution

Upgrade Splunk Universal Forwarder to version 9.4.2, or higher

Product Status

Severity

For the CVEs in this list, Splunk adopted the vendor’s severity rating or the National Vulnerability Database (NVD) common vulnerability scoring system (CVSS) rating, as available.

Changelog

• 2025-06-06: Updated the severity for postgres and traefik binaries to informational.

• 2025-06-04: Updated the list of affected versions in the security advisory.