November 2023 Third Party Package updates in Splunk Enterprise

Advisory ID: SVD-2023-1105

CVE ID:  Multiple

Published: 2023-11-16

Last Update: 2023-11-16

Description

Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise, including the following:

PackageRemediationSeverity
protobufUpgraded to 3.15.8CVE-2021-22570
bottleUpgraded to 0.12.25CVE-2022-31799
pythonUpgraded to 3.7.17CVE-2023-24329
opensslUpgraded to 1.0.2ziCVE-2023-3817
opensslUpgraded to 1.0.2ziCVE-2023-3446

Solution

For Splunk Enterprise, upgrade versions to 9.0.7 or 9.1.2.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise9.0Splunk Web9.0.0 to 9.0.69.0.7
Splunk Enterprise9.1Splunk Web9.1.0 to 9.1.19.1.2

Severity

For the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards.