Third-Party Package Updates in Splunk Enterprise - July 2024
Advisory ID: SVD-2024-0718
CVE ID: Multiple
Published: 2024-07-01
Last Update: 2024-07-01
Description
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise versions 9.2.1, 9.1.4, 9.0.9 and higher, including the following:
| Package | Remediation | CVE | Severity |
|---|---|---|---|
| jackson-databind | Upgraded to 1.16.1 | CVE-2023-35116 | Medium |
| commons-io | Upgraded to 2.15.1 | CVE-2021-29425 | Medium |
| snappy-java | Upgraded to 1.1.10.5 | CVE-2023-43642 | High |
| snappy-java | Upgraded to 1.1.10.5 | CVE-2023-34453 | Medium |
| snappy-java | Upgraded to 1.1.10.5 | CVE-2023-34454 | Medium |
| snappy-java | Upgraded to 1.1.10.5 | CVE-2023-34455 | High |
| avro-sdk | Upgraded to 1.11.3 | CVE-2023-39410 | High |
| avatica-core1 | Removed | CVE-2022-36364 | High |
| guava2 | Removed | CVE-2020-8908 | Low |
| guava3 | Removed | CVE-2023-2976 | Medium |
| guava4 | Removed | CVE-2018-10237 | Medium |
| aiohttp5 | Upgraded to 3.8.6 | CVE-2023-37276 | Medium |
| aiohttp6 | Upgraded to 3.8.6 | CVE-2023-47627 | Medium |
| urllib37 | Upgraded to 2.0.7 | CVE-2023-43804 | Medium |
| urllib38 | Upgraded to 2.0.7 | CVE-2023-45803 | Medium |
| certifi9 | Upgraded to 2024.2.2 | CVE-2023-37920 | Low |
| idna10 | Upgraded to 3.7 | CVE-2024-3651 | Medium |
| pip | Upgraded to 24.0 | CVE-2023-5752 | Informational |
| setuptools | Upgraded to 65.5.1 | CVE-2022-40897 | Medium |
| pygments | Upgraded to 2.15.1 | CVE-2022-40896 | Medium |
| wheel | Upgraded to 0.41.2 | CVE-2022-40898 | informational |
| requests11 | Upgraded to 2.31.0 | CVE-2023-32681 | Medium |
| future12 | Upgraded to 1.0.0 | CVE-2022-40899 | High |
1 Removed avatica-core from hive-exec
2 Removed guava from hive-exec
3 Removed guava from hive-exec
4 Removed guava from hive-exec
5 Upgraded aiohttp in the Splunk Secure Gateway app, $SPLUNK_HOME/etc/apps/splunk_secure_gateway/lib/aiohttp
6 Upgraded aiohttp in the Splunk Secure Gateway app, $SPLUNK_HOME/etc/apps/splunk_secure_gateway/lib/aiohttp
7 Upgraded urllib3 in the Splunk Secure Gateway app, $SPLUNK_HOME/etc/apps/splunk_secure_gateway/lib/urllib3
8 Upgraded urllib3 in the Splunk Secure Gateway app, $SPLUNK_HOME/etc/apps/splunk_secure_gateway/lib/urllib3
9 Upgraded certifi in the Splunk Secure Gateway app, $SPLUNK_HOME/etc/apps/splunk_secure_gateway/lib/certifi
10 Upgraded idna in the Splunk Secure Gateway app, $SPLUNK_HOME/etc/apps/splunk_secure_gateway/lib/idna
11 Upgraded requests in $SPLUNK_HOME/lib/python3.7/site-packages/requests
12 Upgraded requests in $SPLUNK_HOME/lib/python3.7/site-packages/future
Solution
Upgrade Splunk Enterprise to versions 9.2.1, 9.1.4, and 9.0.9, or higher.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 9.2 | 9.2.0 to 9.2.0.1 | 9.2.1 | |
| Splunk Enterprise | 9.1 | 9.1.0 to 9.1.3 | 9.1.4 | |
| Splunk Enterprise | 9.0 | 9.0.0 to 9.0.8 | 9.0.9 |
Severity
For the CVEs in this list, Splunk adopted the vendor’s severity rating, when available, or the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating, otherwise.
For CVE-2023-37920, Splunk adopted the vendor’s severity rating. Please refer to GHSA-xqr8-7jwr-rhp7 for more information.
If you do not use Splunk Analytics for Hadoop, Splunk Archiver, Hadoop Data Roll, or Hunk (Legacy) the CVEs impacting the listed java packages (hive-exec, jackson-databind, commons-io, snappy-java, avro-sdk, avatica-core and guava) are informational.
If you disabled or removed Splunk Secure Gateway, the listed CVEs affecting aiohttp, urllib3, and certify are informational.
For pip and wheel, Splunk Enterprise does not utilize the package and is not impacted by the CVE. However, out of an abundance of caution, Splunk updated the package.