November 2023 Third Party Package updates in Splunk Enterprise

Advisory ID: SVD-2023-1105

CVE ID:  Multiple

Published: 2023-11-16

Last Update: 2023-11-16

Description

Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise, including the following:

PackageRemediationCVESeverity
protobufUpgraded to 3.15.8CVE-2021-22570Medium
bottleUpgraded to 0.12.25CVE-2022-31799Informational
pythonUpgraded to 3.7.17CVE-2023-24329High
opensslUpgraded to 1.0.2ziCVE-2023-3817Low
opensslUpgraded to 1.0.2ziCVE-2023-3446Low

Solution

For Splunk Enterprise, upgrade versions to 9.0.7 or 9.1.2.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise9.0Splunk Web9.0.0 to 9.0.69.0.7
Splunk Enterprise9.1Splunk Web9.1.0 to 9.1.19.1.2

Severity

Splunk Enterprise does not use bottle and is not impacted by CVE-2022-31799. Otheriwse, for the CVEs in this list, Splunk adopted the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating to align with industry standards.

Changelog

  • 2024-01-09: Added information concerning CVE-2022-31799 to Severity section.