November 2023 Third Party Package updates in Splunk Enterprise
Advisory ID: SVD-2023-1105
CVE ID: Multiple
Published: 2023-11-16
Last Update: 2023-11-16
Description
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise, including the following:
| Package | Remediation | CVE | Severity |
|---|---|---|---|
| protobuf | Upgraded to 3.15.8 | CVE-2021-22570 | Medium |
| bottle | Upgraded to 0.12.25 | CVE-2022-31799 | Informational |
| python | Upgraded to 3.7.17 | CVE-2023-24329 | High |
| openssl | Upgraded to 1.0.2zi | CVE-2023-3817 | Low |
| openssl | Upgraded to 1.0.2zi | CVE-2023-3446 | Low |
Solution
For Splunk Enterprise, upgrade versions to 9.0.7 or 9.1.2.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 9.0 | Splunk Web | 9.0.0 to 9.0.6 | 9.0.7 |
| Splunk Enterprise | 9.1 | Splunk Web | 9.1.0 to 9.1.1 | 9.1.2 |
Severity
Splunk Enterprise does not use bottle and is not impacted by CVE-2022-31799. Otheriwse, for the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards.
Changelog
- 2024-01-09: Added information concerning CVE-2022-31799 to Severity section.