Third-Party Package Updates in Splunk Enterprise - July 2024

Advisory ID: SVD-2024-0718

CVE ID:  Multiple

Published: 2024-07-01

Last Update: 2024-10-03

Description

Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise versions 9.2.2, 9.1.5, 9.0.10 and higher, including the following:

PackageRemediationCVESeverity
jackson-databindUpgraded to 1.16.1CVE-2023-35116Medium
commons-ioUpgraded to 2.15.1CVE-2021-29425Medium
snappy-javaUpgraded to 1.1.10.5CVE-2023-43642High
snappy-javaUpgraded to 1.1.10.5CVE-2023-34453Medium
snappy-javaUpgraded to 1.1.10.5CVE-2023-34454Medium
snappy-javaUpgraded to 1.1.10.5CVE-2023-34455High
avro-sdkUpgraded to 1.11.3CVE-2023-39410High
avatica-core1RemovedCVE-2022-36364High
guava2RemovedCVE-2020-8908Low
guava3RemovedCVE-2023-2976Medium
guava4RemovedCVE-2018-10237Medium
protobuf-java5Upgraded to 3.24.4CVE-2022-3509High
protobuf-java6Upgraded to 3.24.4CVE-2022-3171High
protobuf-java7Upgraded to 3.24.4CVE-2022-3510High
httpclient8Upgraded to 4.15.3CVE-2020-13956Medium
aiohttp9Upgraded to 3.8.6CVE-2023-37276Medium
aiohttp10Upgraded to 3.8.6CVE-2023-47627Medium
urllib311Upgraded to 2.0.7CVE-2023-43804Medium
urllib312Upgraded to 2.0.7CVE-2023-45803Medium
certifi13Upgraded to 2024.2.2CVE-2023-37920Low
idna14Upgraded to 3.7CVE-2024-3651Medium
pipUpgraded to 24.0CVE-2023-5752Informational
setuptoolsUpgraded to 65.5.1CVE-2022-40897Medium
pygmentsUpgraded to 2.15.1CVE-2022-40896Medium
wheelUpgraded to 0.41.2CVE-2022-40898Informational
requests15Upgraded to 2.31.0CVE-2023-32681Medium
future16Upgraded to 1.0.0CVE-2022-40899High

1 Removed avatica-core from hive-exec

2 Removed guava from hive-exec

3 Removed guava from hive-exec

4 Removed guava from hive-exec

5 Upgrade protobuf-java in hive-exec

6 Upgrade protobuf-java in hive-exec

7 Upgrade protobuf-java in hive-exec

8 Upgrade httpclient in hive-exec

9 Upgraded aiohttp in the Splunk Secure Gateway app, $SPLUNK_HOME/etc/apps/splunk_secure_gateway/lib/aiohttp

10 Upgraded aiohttp in the Splunk Secure Gateway app, $SPLUNK_HOME/etc/apps/splunk_secure_gateway/lib/aiohttp

11 Upgraded urllib3 in the Splunk Secure Gateway app, $SPLUNK_HOME/etc/apps/splunk_secure_gateway/lib/urllib3

12 Upgraded urllib3 in the Splunk Secure Gateway app, $SPLUNK_HOME/etc/apps/splunk_secure_gateway/lib/urllib3

13 Upgraded certifi in the Splunk Secure Gateway app, $SPLUNK_HOME/etc/apps/splunk_secure_gateway/lib/certifi

14 Upgraded idna in the Splunk Secure Gateway app, $SPLUNK_HOME/etc/apps/splunk_secure_gateway/lib/idna

15 Upgraded requests in $SPLUNK_HOME/lib/python3.7/site-packages/requests

16 Upgraded requests in $SPLUNK_HOME/lib/python3.7/site-packages/future

Solution

Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise9.29.2.0 to 9.2.19.2.2
Splunk Enterprise9.19.1.0 to 9.1.49.1.5
Splunk Enterprise9.09.0.0 to 9.0.99.0.10

Severity

For the CVEs in this list, Splunk adopted the vendor’s severity rating, when available, or the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating, otherwise.

For CVE-2023-37920, Splunk adopted the vendor’s severity rating. Please refer to GHSA-xqr8-7jwr-rhp7 for more information.

If you do not use Splunk Analytics for Hadoop, Splunk Archiver, Hadoop Data Roll, or Hunk (Legacy) the CVEs impacting the listed java packages (hive-exec, jackson-databind, commons-io, snappy-java, avro-sdk, avatica-core and guava) are informational.

If you disabled or removed Splunk Secure Gateway, the listed CVEs affecting aiohttp, urllib3, and certify are informational.

For pip and wheel, Splunk Enterprise does not utilize the package and is not impacted by the CVE. However, out of an abundance of caution, Splunk updated the package.

Changelog

  • 2024-10-03: Added CVE-2022-3510, CVE-2022-3509, and CVE-2022-3171 to fixed. Corrected product fix versions.