Third-Party Package Updates in Splunk Universal Forwarder - June 2025

Advisory ID: SVD-2025-0604

CVE ID: Multiple

Published: 2025-06-02

Last Update: 2025-06-04

Description

Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Universal Forwarder version 9.4.2, including the following:

Package	Remediation	CVE	Severity
golang₁	Upgraded to v1.22.11	Multiple	Critical
golang.org/x/crypto₂	Removed traefik binary	Multiple	High
golang.org/x/crypto₃	Upgraded to v0.32.0	CVE-2024-45337	Critical
postgres₄	Removed postgres binary	Multiple	High
go://golang.org/x/net₅	Upgraded to v0.34.0	CVE-2024-45338	Medium
go://github.com/quic-go/quic-go₆	Removed traefik binary	CVE-2024-53259	Medium
go://gopkg.in/square/go-jose.v2₇	Removed traefik binary	CVE-2024-28180	Medium

₁ Upgraded golang to v1.22.11 in etc, etcdctl, and etcdutl binaries to remedy CVE-2024-24789 and CVE-2024-24790. The etc, etcdctl, and etcdutl binaries are not present in versions 9.1.x, 9.2.x, and 9.3.x.

₂ traefik package is removed from the $SPLUNK_HOME/bin directory to remedy CVE-2024-45337 and CVE-2025-22869. Upgrading to the fixed versions does not automatically remove the previous traefik binary from your system. To remove it manually, run the following command from a shell prompt: cd $SPLUNK_HOME/bin && rm traefik. NOTE: Removing the traefik binary from your system will not affect other functionality, as it is not used anywhere in the product. The traefik binary is not present in versions 9.1.x, 9.2.x, and 9.3.x.

₃ Upgraded golang.org/x/crypto to v0.32.0 in the etc, etcdctl, and etcdutl binaries to remedy CVE-2024-45337. The etc, etcdctl, and etcdutl binaries are not present in 9.1.x, 9.2.x and 9.3.x versions.

₄ postgres package is removed from the $SPLUNK_HOME/bin directory. Upgrading to the fixed versions does not automatically remove the previous postgres binary from your system. To remove it manually, run the following command from a shell prompt: cd $SPLUNK_HOME/bin && rm postgres. NOTE: Removing the postgres binary from your system will not affect other functionality, as it is not used anywhere in the product. The postgres binary is not present in versions 9.1.x, 9.2.x, and 9.3.x.

₅ Upgraded go://golang.org/x/net to v0.34.0 in etc, etcdctl, and etcdutl binaries to remedy CVE-2024-45338. The etc, etcdctl, and etcdutl binaries are not present in versions 9.1.x, 9.2.x, and 9.3.x.

₆ traefik package is removed from the $SPLUNK_HOME/bin directory to remedy CVE-2024-45337 and CVE-2025-22869. Upgrading to the fixed versions does not automatically remove the previous traefik binary from your system. To remove it manually, run the following command from a shell prompt: cd $SPLUNK_HOME/bin && rm traefik. NOTE: Removing the traefik binary from your system will not affect other functionality, as it is not used anywhere in the product. The traefik binary is not present in versions 9.1.x, 9.2.x, and 9.3.x.

₇ traefik package is removed from the $SPLUNK_HOME/bin directory to remedy CVE-2024-45337 and CVE-2025-22869. Upgrading to the fixed versions does not automatically remove the previous traefik binary from your system. To remove it manually, run the following command from a shell prompt: cd $SPLUNK_HOME/bin && rm traefik. NOTE: Removing the traefik binary from your system will not affect other functionality, as it is not used anywhere in the product. The traefik binary is not present in versions 9.1.x, 9.2.x, and 9.3.x.

Solution

Upgrade Splunk Universal Forwarder to versions 9.4.2, 9.3.4, 9.2.6, 9.1.9, or higher.

Product Status

Product	Base Version	Affected Version	Fix Version
Splunk Universal Forwarder	9.4	9.4.0 to 9.4.1	9.4.2
Splunk Universal Forwarder	9.3	Not affected
Splunk Universal Forwarder	9.2	Not affected
Splunk Universal Forwarder	9.1	Not affected

Severity

For the CVEs in this list, Splunk adopted the vendor’s severity rating or the National Vulnerability Database (NVD) common vulnerability scoring system (CVSS) rating, as available.

Changelog

2025-06-04: Updated the list of affected versions in the security advisory