Third-Party Package Updates in Splunk Enterprise - January 2024

Advisory ID: SVD-2024-0109

CVE ID:  Multiple

Published: 2024-01-22

Last Update: 2024-01-26

Description

Splunk remedied common vulnerabilities and exposures (CVEs) in Third-Party Packages in Splunk Enterprise versions 9.0.8 and 9.1.3, including the following:

PackageRemediationCVESeverity
golang, in Splunk AssistUpgraded golang from 1.20.7 to 1.20.10Multiple*See vendor
golang, in mongodump and mongorestoreUpgraded golang from 1.19** to 1.20.10Multiple*See vendor
future, Python 3, in Upgrade Readiness AppUpgraded to 0.18.3CVE-2022-40899High
future, Python 2, in Upgrade Readiness AppUpgraded to 0.18.3CVE-2022-40899High
certifiPatched***CVE-2023-37920Low

*For more information on the vulnerabilities impacting older golang versions, please refer to the vendor’s Release History.

**Splunk upgraded from a version of mongodump and mongorestore using golang 1.19.8 in Darwin builds, golang 1.19.9 in Windows builds, and golang 1.19.10 in Linux builds to golang 1.20.10.

***Splunk patched certifi at $SPLUNK_HOME/lib/python3.7/site-packages/certifi by backporting the cacert.pem from 2023.07.22 to 2019.6.16.

Solution

Upgrade Splunk Enterprise to version 9.0.8, 9.1.3, or higher.

As an alternative to updating, if you’re not using the Upgrade Readiness App (URA), you may disable or uninstall the app to remediate both CVE-2022-40899s. See Manage app and add-on objects for help.

As an alternative to updating, if you’re not using the Splunk Assist app, you may disable or uninstall the app to remediate the golang vulnerabilities in Splunk Assist. See Manage app and add-on objects for help.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise9.0-9.0.0 to 9.0.79.0.8
Splunk Enterprise9.1-9.1.0 to 9.1.29.1.3

Severity

For CVE-2022-40899, Splunk adopted NVD’s severity rating.

For CVE-2023-37920, Splunk adopted the vendor’s severity rating. Please refer to GHSA-xqr8-7jwr-rhp7 for more information.

For more information on the vulnerabilities impacting older golang versions, please refer to the vendor’s Release History for the individual issues.

Changelog

  • 2023-01-26: Updated and simplified OSS table. Updated Severity section with clarifications to match updates to oss table. Moved certifi clarifications under the table. Added additional solutions concerning the URA and Splunk Assist apps. Replaced mongotools with mongodump and mongorestore (Splunk does not ship all mongotool packages). Added clarification around updates to golang for mongorestore, mongodump, and Splunk Assist. Referred to the vendor for the list and severities for golang vulnerabilities.