June Third Party Package Updates in Splunk Enterprise

Advisory ID: SVD-2023-0613

CVE ID:  Multiple

Published: 2023-06-01

Last Update: 2023-06-01

Description

Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in versions 8.1.14, 8.2.11, and 9.0.5 of Splunk Enterprise, including the following:

CVEPackageRemediationSeverity
CVE-2022-40303libxml2PatchedHigh
CVE-2022-40304libxml2PatchedHigh
CVE-2023-0286OpenSSL 1.0.2Upgraded to 1.0.2zgHigh
CVE-2023-0215OpenSSL 1.0.2Upgraded to 1.0.2zgHigh
CVE-2022-4304OpenSSL 1.0.2Upgraded to 1.0.2zgMedium
CVE-2023-27538curlUpgraded to 8.0.1Medium
CVE-2023-27537curlUpgraded to 8.0.1Medium
CVE-2023-27536curlUpgraded to 8.0.1Critical
CVE-2023-27535curlUpgraded to 8.0.1High
CVE-2023-27534curlUpgraded to 8.0.1High
CVE-2023-27533curlUpgraded to 8.0.1High
CVE-2023-23916curlUpgraded to 8.0.1Medium
CVE-2023-23915curlUpgraded to 8.0.1Medium
CVE-2023-23914curlUpgraded to 8.0.1Critical
CVE-2022-43552curlUpgraded to 8.0.1Medium
CVE-2022-43551curlUpgraded to 8.0.1High
CVE-2022-42916curlUpgraded to 8.0.1High
CVE-2022-42915curlUpgraded to 8.0.1Critical
CVE-2022-35260curlUpgraded to 8.0.1Medium
CVE-2022-32221curlUpgraded to 8.0.1Critical
CVE-2022-35252curlUpgraded to 8.0.1Low
CVE-2022-32208curlUpgraded to 8.0.1Medium
CVE-2022-32207curlUpgraded to 8.0.1Critical
CVE-2022-32206curlUpgraded to 8.0.1Medium
CVE-2022-32205curlUpgraded to 8.0.1Medium
CVE-2022-30115curlUpgraded to 8.0.1Medium
CVE-2022-27782curlUpgraded to 8.0.1High
CVE-2022-27781curlUpgraded to 8.0.1High
CVE-2022-27780curlUpgraded to 8.0.1High
CVE-2022-27779curlUpgraded to 8.0.1Medium
CVE-2022-27778curlUpgraded to 8.0.1High
CVE-2022-27776curlUpgraded to 8.0.1Medium
CVE-2022-27775curlUpgraded to 8.0.1High
CVE-2022-27774curlUpgraded to 8.0.1Medium
CVE-2022-22576curlUpgraded to 8.0.1High
CVE-2021-22947curlUpgraded to 8.0.1Medium
CVE-2021-22946curlUpgraded to 8.0.1High
CVE-2021-22945curlUpgraded to 8.0.1Critical
CVE-2021-22926curlUpgraded to 8.0.1High
CVE-2021-22925curlUpgraded to 8.0.1Medium
CVE-2021-22924curlUpgraded to 8.0.1Low
CVE-2021-22923curlUpgraded to 8.0.1Medium
CVE-2021-22922curlUpgraded to 8.0.1Medium
CVE-2021-22901curlUpgraded to 8.0.1High
CVE-2021-22898curlUpgraded to 8.0.1Low
CVE-2021-22897curlUpgraded to 8.0.1Medium
CVE-2021-22890curlUpgraded to 8.0.1Low
CVE-2021-22876curlUpgraded to 8.0.1Medium
CVE-2020-8286curlUpgraded to 8.0.1High
CVE-2020-8285curlUpgraded to 8.0.1High
CVE-2020-8284curlUpgraded to 8.0.1Low
CVE-2020-8231curlUpgraded to 8.0.1High
CVE-2020-8177curlUpgraded to 8.0.1High
CVE-2020-8169curlUpgraded to 8.0.1High
CVE-2022-36227libarchiveUpgraded to 3.6.2Critical
CVE-2021-31566libarchiveUpgraded to 3.6.2High
CVE-2021-36976libarchiveUpgraded to 3.6.2Medium
CVE-2021-3520lz4Upgraded to 1.9.4Critical
CVE-2022-35737SQLiteUpgraded to 3.41.2High
CVE-2018-25032zlibApplied patchHigh
CVE-2022-37434zlibApplied patchCritical
CVE-2020-15138prismjsUpgraded to 1.2.9High
CVE-2022-37616xmldomUpgraded to 0.7.9Critical
CVE-2022-23491certifiUpgraded to 2022.12.7High
CVE-2021-29060color-stringUpgraded to 1.5.5Medium
CVE-2022-38900decode-uri-componentUpgraded to 0.2.1High
CVE-2020-28469glob-parentUpgraded to 5.1.2High
CVE-2022-46175json5Upgraded to 1.0.2High
CVE-2022-46175json5Upgraded to 2.2.3High
CVE-2022-37599loader-utilsUpgraded to 2.0.4High
CVE-2022-37601loader-utilsUpgraded to 2.0.4Critical
CVE-2022-37603loader-utilsUpgraded to 2.0.4High
CVE-2022-3517minimatchUpgraded to 3.0.5High
CVE-2022-31129momentUpgraded to 2.29.4High
CVE-2021-23343path-parseUpgraded to 1.0.7High
CVE-2021-23368postcssUpgraded to 7.0.36Medium
CVE-2021-23382postcssUpgraded to 7.0.36High
CVE-2022-43680python3Upgraded to 3.7.16High
CVE-2022-24999qsUpgraded to 6.5.3High
CVE-2020-7753ssriUppgraded to 6.0.2High
CVE-2022-25858terserUpgraded to 4.8.1High
CVE-2021-3803nth-checkUpgraded to 2.0.1High
CVE-2020-7753trimUpgraded to 0.0.3High
CVE-2021-33587css-whatUpgraded to 5.0.1High
CVE-2020-8116dot-propUpgraded to 4.2.1High
CVE-2020-13822ellipticUpgraded to 6.5.4High
CVE-2022-33987gotUpgraded to 12.5.3Medium
CVE-2022-4200jackson-databindUpgraded to 2.13.5Medium
CVE-2022-42004jackson-databindUpgraded to 2.13.5High
CVE-2023-1370json-smartUpgraded to 2.4.9High
CVE-2019-20149kind-ofUpgraded to 6.0.3High
CVE-2022-37601loader-utilsUpgraded to 1.4.2Critical
CVE-2022-37601loader-utilsUpgraded to 2.0.4Critical
CVE-2020-8203lodashUpgraded to 4.17.21High
CVE-2019-10744lodash-esUpgraded to 4.17.21Critical
CVE-2022-40023makoUpgraded to 1.2.4High
CVE-2019-10746mixin-deepUpgraded to 1.3.2Critical
CVE-2021-23382postcssUpgraded to 7.0.37High
CVE-2021-33502normalize-urlUpgraded to 6.1.0High
CVE-2021-27292ua-parser-jsUpgraded to 0.7.35High
CVE-2021-33503urllib3Upgraded to 1.26.6High
CVE-2020-7662websocket-extensionsUpgraded to 0.1.4High
CVE-2020-7774y18nUpgraded to 4.0.3Critical
CVE-2022-23806go, crypto/ellipticUpgraded go to 1.2Critical
CVE-2022-23772go, math/bigUpgraded go to 1.2High
CVE-2021-43565go, x/cryptoUpgraded go to 1.2High
CVE-2022-30580go, os/execUpgraded go to 1.2High
CVE-2022-30633go, encoding/xmlUpgraded go to 1.2High
CVE-2022-28131go, encoding/xmlUpgraded go to 1.2High
CVE-2022-30632go, path/filepathUpgraded go to 1.2High
CVE-2022-41716goUpgraded go to 1.2High
CVE-2022-28327go, crypto/ellipticUpgraded go to 1.2High
CVE-2022-24921goUpgraded go to 1.2High
CVE-2022-30630go, io/fsUpgraded go to 1.2High
CVE-2022-27191go, crypto/sshUpgraded go to 1.2High
CVE-2022-23773go, cmd/goUpgraded go to 1.2High
CVE-2022-30634go, crypto/randUpgraded go to 1.2High
CVE-2022-41715goUpgraded go to 1.2High
CVE-2022-24675go, encoding/pemUpgraded go to 1.2High
CVE-2022-41720goUpgraded go to 1.2High
CVE-2022-27664go, net/httpUpgraded go to 1.2High
CVE-2022-2880go, net/httpUpgraded go to 1.2High
CVE-2022-29804go, path/filepathUpgraded go to 1.2High
CVE-2022-32189go, math/bigUpgraded go to 1.2High
CVE-2022-30635go, encoding/gobUpgraded go to 1.2High
CVE-2022-30631go, compress/gzipUpgraded go to 1.2High
CVE-2022-2879goUpgraded go to 1.2High
CVE-2022-1705go, net/httpUpgraded go to 1.2Medium
CVE-2022-1962go, go/parseUpgraded go to 1.2Medium
CVE-2022-29526go, sysUpgraded go to 1.2Medium
CVE-2022-32148go, net/httpUpgraded go to 1.2Medium
CVE-2022-30629go, crypto/tlsUpgraded go to 1.2Low
CVE-2017-16042GrowlUpgraded to 1.10.5Critical
CVE-2021-20095BabelUpgraded to 2.9.1Medium

Solution

For Splunk Enterprise, upgrade versions to 8.1.14, 8.2.11, 9.0.5, or higher.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise8.1-8.1.13 and Lower8.1.14
Splunk Enterprise8.2-8.2.0 to 8.2.108.2.11
Splunk Enterprise9.0-9.0.0 to 9.0.49.0.5

Severity

For the CVEs listed above, Splunk adopted the national vulnerability database (NVD) CVSS rating to align with industry standards.