June Third Party Package Updates in Splunk Enterprise
Advisory ID: SVD-2023-0613
CVE ID: Multiple
Published: 2023-06-01
Last Update: 2023-06-01
Description
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in versions 8.1.14, 8.2.11, and 9.0.5 of Splunk Enterprise, including the following:
| CVE | Package | Remediation | Severity |
|---|---|---|---|
| CVE-2022-40303 | libxml2 | Patched | High |
| CVE-2022-40304 | libxml2 | Patched | High |
| CVE-2023-0286 | OpenSSL 1.0.2 | Upgraded to 1.0.2zg | High |
| CVE-2023-0215 | OpenSSL 1.0.2 | Upgraded to 1.0.2zg | High |
| CVE-2022-4304 | OpenSSL 1.0.2 | Upgraded to 1.0.2zg | Medium |
| CVE-2023-27538 | curl | Upgraded to 8.0.1 | Medium |
| CVE-2023-27537 | curl | Upgraded to 8.0.1 | Medium |
| CVE-2023-27536 | curl | Upgraded to 8.0.1 | Critical |
| CVE-2023-27535 | curl | Upgraded to 8.0.1 | High |
| CVE-2023-27534 | curl | Upgraded to 8.0.1 | High |
| CVE-2023-27533 | curl | Upgraded to 8.0.1 | High |
| CVE-2023-23916 | curl | Upgraded to 8.0.1 | Medium |
| CVE-2023-23915 | curl | Upgraded to 8.0.1 | Medium |
| CVE-2023-23914 | curl | Upgraded to 8.0.1 | Critical |
| CVE-2022-43552 | curl | Upgraded to 8.0.1 | Medium |
| CVE-2022-43551 | curl | Upgraded to 8.0.1 | High |
| CVE-2022-42916 | curl | Upgraded to 8.0.1 | High |
| CVE-2022-42915 | curl | Upgraded to 8.0.1 | Critical |
| CVE-2022-35260 | curl | Upgraded to 8.0.1 | Medium |
| CVE-2022-32221 | curl | Upgraded to 8.0.1 | Critical |
| CVE-2022-35252 | curl | Upgraded to 8.0.1 | Low |
| CVE-2022-32208 | curl | Upgraded to 8.0.1 | Medium |
| CVE-2022-32207 | curl | Upgraded to 8.0.1 | Critical |
| CVE-2022-32206 | curl | Upgraded to 8.0.1 | Medium |
| CVE-2022-32205 | curl | Upgraded to 8.0.1 | Medium |
| CVE-2022-30115 | curl | Upgraded to 8.0.1 | Medium |
| CVE-2022-27782 | curl | Upgraded to 8.0.1 | High |
| CVE-2022-27781 | curl | Upgraded to 8.0.1 | High |
| CVE-2022-27780 | curl | Upgraded to 8.0.1 | High |
| CVE-2022-27779 | curl | Upgraded to 8.0.1 | Medium |
| CVE-2022-27778 | curl | Upgraded to 8.0.1 | High |
| CVE-2022-27776 | curl | Upgraded to 8.0.1 | Medium |
| CVE-2022-27775 | curl | Upgraded to 8.0.1 | High |
| CVE-2022-27774 | curl | Upgraded to 8.0.1 | Medium |
| CVE-2022-22576 | curl | Upgraded to 8.0.1 | High |
| CVE-2021-22947 | curl | Upgraded to 8.0.1 | Medium |
| CVE-2021-22946 | curl | Upgraded to 8.0.1 | High |
| CVE-2021-22945 | curl | Upgraded to 8.0.1 | Critical |
| CVE-2021-22926 | curl | Upgraded to 8.0.1 | High |
| CVE-2021-22925 | curl | Upgraded to 8.0.1 | Medium |
| CVE-2021-22924 | curl | Upgraded to 8.0.1 | Low |
| CVE-2021-22923 | curl | Upgraded to 8.0.1 | Medium |
| CVE-2021-22922 | curl | Upgraded to 8.0.1 | Medium |
| CVE-2021-22901 | curl | Upgraded to 8.0.1 | High |
| CVE-2021-22898 | curl | Upgraded to 8.0.1 | Low |
| CVE-2021-22897 | curl | Upgraded to 8.0.1 | Medium |
| CVE-2021-22890 | curl | Upgraded to 8.0.1 | Low |
| CVE-2021-22876 | curl | Upgraded to 8.0.1 | Medium |
| CVE-2020-8286 | curl | Upgraded to 8.0.1 | High |
| CVE-2020-8285 | curl | Upgraded to 8.0.1 | High |
| CVE-2020-8284 | curl | Upgraded to 8.0.1 | Low |
| CVE-2020-8231 | curl | Upgraded to 8.0.1 | High |
| CVE-2020-8177 | curl | Upgraded to 8.0.1 | High |
| CVE-2020-8169 | curl | Upgraded to 8.0.1 | High |
| CVE-2022-36227 | libarchive | Upgraded to 3.6.2 | Critical |
| CVE-2021-31566 | libarchive | Upgraded to 3.6.2 | High |
| CVE-2021-36976 | libarchive | Upgraded to 3.6.2 | Medium |
| CVE-2021-3520 | lz4 | Upgraded to 1.9.4 | Critical |
| CVE-2022-35737 | SQLite | Upgraded to 3.41.2 | High |
| CVE-2018-25032 | zlib | Applied patch | High |
| CVE-2022-37434 | zlib | Applied patch | Critical |
| CVE-2020-15138 | prismjs | Upgraded to 1.2.9 | High |
| CVE-2022-37616 | xmldom | Upgraded to 0.7.9 | Critical |
| CVE-2022-23491 | certifi | Upgraded to 2022.12.7 | High |
| CVE-2021-29060 | color-string | Upgraded to 1.5.5 | Medium |
| CVE-2022-38900 | decode-uri-component | Upgraded to 0.2.1 | High |
| CVE-2020-28469 | glob-parent | Upgraded to 5.1.2 | High |
| CVE-2022-46175 | json5 | Upgraded to 1.0.2 | High |
| CVE-2022-46175 | json5 | Upgraded to 2.2.3 | High |
| CVE-2022-37599 | loader-utils | Upgraded to 2.0.4 | High |
| CVE-2022-37601 | loader-utils | Upgraded to 2.0.4 | Critical |
| CVE-2022-37603 | loader-utils | Upgraded to 2.0.4 | High |
| CVE-2022-3517 | minimatch | Upgraded to 3.0.5 | High |
| CVE-2022-31129 | moment | Upgraded to 2.29.4 | High |
| CVE-2021-23343 | path-parse | Upgraded to 1.0.7 | High |
| CVE-2021-23368 | postcss | Upgraded to 7.0.36 | Medium |
| CVE-2021-23382 | postcss | Upgraded to 7.0.36 | High |
| CVE-2022-43680 | python3 | Upgraded to 3.7.16 | High |
| CVE-2022-24999 | qs | Upgraded to 6.5.3 | High |
| CVE-2020-7753 | ssri | Uppgraded to 6.0.2 | High |
| CVE-2022-25858 | terser | Upgraded to 4.8.1 | High |
| CVE-2021-3803 | nth-check | Upgraded to 2.0.1 | High |
| CVE-2020-7753 | trim | Upgraded to 0.0.3 | High |
| CVE-2021-33587 | css-what | Upgraded to 5.0.1 | High |
| CVE-2020-8116 | dot-prop | Upgraded to 4.2.1 | High |
| CVE-2020-13822 | elliptic | Upgraded to 6.5.4 | High |
| CVE-2022-33987 | got | Upgraded to 12.5.3 | Medium |
| CVE-2022-4200 | jackson-databind | Upgraded to 2.13.5 | Medium |
| CVE-2022-42004 | jackson-databind | Upgraded to 2.13.5 | High |
| CVE-2023-1370 | json-smart | Upgraded to 2.4.9 | High |
| CVE-2019-20149 | kind-of | Upgraded to 6.0.3 | High |
| CVE-2022-37601 | loader-utils | Upgraded to 1.4.2 | Critical |
| CVE-2022-37601 | loader-utils | Upgraded to 2.0.4 | Critical |
| CVE-2020-8203 | lodash | Upgraded to 4.17.21 | High |
| CVE-2019-10744 | lodash-es | Upgraded to 4.17.21 | Critical |
| CVE-2022-40023 | mako | Upgraded to 1.2.4 | High |
| CVE-2019-10746 | mixin-deep | Upgraded to 1.3.2 | Critical |
| CVE-2021-23382 | postcss | Upgraded to 7.0.37 | High |
| CVE-2021-33502 | normalize-url | Upgraded to 6.1.0 | High |
| CVE-2021-27292 | ua-parser-js | Upgraded to 0.7.35 | High |
| CVE-2021-33503 | urllib3 | Upgraded to 1.26.6 | High |
| CVE-2020-7662 | websocket-extensions | Upgraded to 0.1.4 | High |
| CVE-2020-7774 | y18n | Upgraded to 4.0.3 | Critical |
| CVE-2022-23806 | go, crypto/elliptic | Upgraded go to 1.2 | Critical |
| CVE-2022-23772 | go, math/big | Upgraded go to 1.2 | High |
| CVE-2021-43565 | go, x/crypto | Upgraded go to 1.2 | High |
| CVE-2022-30580 | go, os/exec | Upgraded go to 1.2 | High |
| CVE-2022-30633 | go, encoding/xml | Upgraded go to 1.2 | High |
| CVE-2022-28131 | go, encoding/xml | Upgraded go to 1.2 | High |
| CVE-2022-30632 | go, path/filepath | Upgraded go to 1.2 | High |
| CVE-2022-41716 | go | Upgraded go to 1.2 | High |
| CVE-2022-28327 | go, crypto/elliptic | Upgraded go to 1.2 | High |
| CVE-2022-24921 | go | Upgraded go to 1.2 | High |
| CVE-2022-30630 | go, io/fs | Upgraded go to 1.2 | High |
| CVE-2022-27191 | go, crypto/ssh | Upgraded go to 1.2 | High |
| CVE-2022-23773 | go, cmd/go | Upgraded go to 1.2 | High |
| CVE-2022-30634 | go, crypto/rand | Upgraded go to 1.2 | High |
| CVE-2022-41715 | go | Upgraded go to 1.2 | High |
| CVE-2022-24675 | go, encoding/pem | Upgraded go to 1.2 | High |
| CVE-2022-41720 | go | Upgraded go to 1.2 | High |
| CVE-2022-27664 | go, net/http | Upgraded go to 1.2 | High |
| CVE-2022-2880 | go, net/http | Upgraded go to 1.2 | High |
| CVE-2022-29804 | go, path/filepath | Upgraded go to 1.2 | High |
| CVE-2022-32189 | go, math/big | Upgraded go to 1.2 | High |
| CVE-2022-30635 | go, encoding/gob | Upgraded go to 1.2 | High |
| CVE-2022-30631 | go, compress/gzip | Upgraded go to 1.2 | High |
| CVE-2022-2879 | go | Upgraded go to 1.2 | High |
| CVE-2022-1705 | go, net/http | Upgraded go to 1.2 | Medium |
| CVE-2022-1962 | go, go/parse | Upgraded go to 1.2 | Medium |
| CVE-2022-29526 | go, sys | Upgraded go to 1.2 | Medium |
| CVE-2022-32148 | go, net/http | Upgraded go to 1.2 | Medium |
| CVE-2022-30629 | go, crypto/tls | Upgraded go to 1.2 | Low |
| CVE-2017-16042 | Growl | Upgraded to 1.10.5 | Critical |
| CVE-2021-20095 | Babel | Upgraded to 2.9.1 | Medium |
Solution
For Splunk Enterprise, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 8.1 | - | 8.1.13 and Lower | 8.1.14 |
| Splunk Enterprise | 8.2 | - | 8.2.0 to 8.2.10 | 8.2.11 |
| Splunk Enterprise | 9.0 | - | 9.0.0 to 9.0.4 | 9.0.5 |
Severity
For the CVEs listed above, Splunk adopted the national vulnerability database (NVD) CVSS rating to align with industry standards.