Third-Party Package Updates in Splunk Universal Forwarder - June 2025

Advisory ID: SVD-2025-0604

CVE ID:  Multiple

Published: 2025-06-02

Last Update: 2025-06-04

Description

Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Universal Forwarder version 9.4.2, including the following:

PackageRemediationCVESeverity
golang1Upgraded to v1.22.11MultipleCritical
golang.org/x/crypto2Removed traefik binaryMultipleHigh
golang.org/x/crypto3Upgraded to v0.32.0CVE-2024-45337Critical
postgres4Removed postgres binaryMultipleHigh
go://golang.org/x/net5Upgraded to v0.34.0CVE-2024-45338Medium
go://github.com/quic-go/quic-go6Removed traefik binaryCVE-2024-53259Medium
go://gopkg.in/square/go-jose.v27Removed traefik binaryCVE-2024-28180Medium

1 Upgraded golang to v1.22.11 in etc, etcdctl, and etcdutl binaries to remedy CVE-2024-24789 and CVE-2024-24790. The etc, etcdctl, and etcdutl binaries are not present in versions 9.1.x, 9.2.x, and 9.3.x.

2 traefik package is removed from the $SPLUNK_HOME/bin directory to remedy CVE-2024-45337 and CVE-2025-22869. Upgrading to the fixed versions does not automatically remove the previous traefik binary from your system. To remove it manually, run the following command from a shell prompt: cd $SPLUNK_HOME/bin && rm traefik. NOTE: Removing the traefik binary from your system will not affect other functionality, as it is not used anywhere in the product. The traefik binary is not present in versions 9.1.x, 9.2.x, and 9.3.x.

3 Upgraded golang.org/x/crypto to v0.32.0 in the etc, etcdctl, and etcdutl binaries to remedy CVE-2024-45337. The etc, etcdctl, and etcdutl binaries are not present in 9.1.x, 9.2.x and 9.3.x versions.

4 postgres package is removed from the $SPLUNK_HOME/bin directory. Upgrading to the fixed versions does not automatically remove the previous postgres binary from your system. To remove it manually, run the following command from a shell prompt: cd $SPLUNK_HOME/bin && rm postgres. NOTE: Removing the postgres binary from your system will not affect other functionality, as it is not used anywhere in the product. The postgres binary is not present in versions 9.1.x, 9.2.x, and 9.3.x.

5 Upgraded go://golang.org/x/net to v0.34.0 in etc, etcdctl, and etcdutl binaries to remedy CVE-2024-45338. The etc, etcdctl, and etcdutl binaries are not present in versions 9.1.x, 9.2.x, and 9.3.x.

6 traefik package is removed from the $SPLUNK_HOME/bin directory to remedy CVE-2024-45337 and CVE-2025-22869. Upgrading to the fixed versions does not automatically remove the previous traefik binary from your system. To remove it manually, run the following command from a shell prompt: cd $SPLUNK_HOME/bin && rm traefik. NOTE: Removing the traefik binary from your system will not affect other functionality, as it is not used anywhere in the product. The traefik binary is not present in versions 9.1.x, 9.2.x, and 9.3.x.

7 traefik package is removed from the $SPLUNK_HOME/bin directory to remedy CVE-2024-45337 and CVE-2025-22869. Upgrading to the fixed versions does not automatically remove the previous traefik binary from your system. To remove it manually, run the following command from a shell prompt: cd $SPLUNK_HOME/bin && rm traefik. NOTE: Removing the traefik binary from your system will not affect other functionality, as it is not used anywhere in the product. The traefik binary is not present in versions 9.1.x, 9.2.x, and 9.3.x.

Solution

Upgrade Splunk Universal Forwarder to versions 9.4.2, 9.3.4, 9.2.6, 9.1.9, or higher.

Product Status

ProductBase VersionComponentAffected VersionFix Version
Splunk Universal Forwarder9.49.4.0 to 9.4.19.4.2
Splunk Universal Forwarder9.3Not affected
Splunk Universal Forwarder9.2Not affected
Splunk Universal Forwarder9.1Not affected

Severity

For the CVEs in this list, Splunk adopted the vendor’s severity rating or the National Vulnerability Database (NVD) common vulnerability scoring system (CVSS) rating, as available.

Changelog

  • 2025-06-04: Updated the list of affected versions in the security advisory