Third-Party Package Updates in Splunk Enterprise - July 2024
Advisory ID: SVD-2024-0718
CVE ID: Multiple
Published: 2024-07-01
Last Update: 2024-10-03
Description
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise versions 9.2.2, 9.1.5, 9.0.10 and higher, including the following:
Package | Remediation | CVE | Severity |
---|---|---|---|
jackson-databind | Upgraded to 1.16.1 | CVE-2023-35116 | Medium |
commons-io | Upgraded to 2.15.1 | CVE-2021-29425 | Medium |
snappy-java | Upgraded to 1.1.10.5 | CVE-2023-43642 | High |
snappy-java | Upgraded to 1.1.10.5 | CVE-2023-34453 | Medium |
snappy-java | Upgraded to 1.1.10.5 | CVE-2023-34454 | Medium |
snappy-java | Upgraded to 1.1.10.5 | CVE-2023-34455 | High |
avro-sdk | Upgraded to 1.11.3 | CVE-2023-39410 | High |
avatica-core1 | Removed | CVE-2022-36364 | High |
guava2 | Removed | CVE-2020-8908 | Low |
guava3 | Removed | CVE-2023-2976 | Medium |
guava4 | Removed | CVE-2018-10237 | Medium |
protobuf-java5 | Upgraded to 3.24.4 | CVE-2022-3509 | High |
protobuf-java6 | Upgraded to 3.24.4 | CVE-2022-3171 | High |
protobuf-java7 | Upgraded to 3.24.4 | CVE-2022-3510 | High |
httpclient8 | Upgraded to 4.15.3 | CVE-2020-13956 | Medium |
aiohttp9 | Upgraded to 3.8.6 | CVE-2023-37276 | Medium |
aiohttp10 | Upgraded to 3.8.6 | CVE-2023-47627 | Medium |
urllib311 | Upgraded to 2.0.7 | CVE-2023-43804 | Medium |
urllib312 | Upgraded to 2.0.7 | CVE-2023-45803 | Medium |
certifi13 | Upgraded to 2024.2.2 | CVE-2023-37920 | Low |
idna14 | Upgraded to 3.7 | CVE-2024-3651 | Medium |
pip | Upgraded to 24.0 | CVE-2023-5752 | Informational |
setuptools | Upgraded to 65.5.1 | CVE-2022-40897 | Medium |
pygments | Upgraded to 2.15.1 | CVE-2022-40896 | Medium |
wheel | Upgraded to 0.41.2 | CVE-2022-40898 | Informational |
requests15 | Upgraded to 2.31.0 | CVE-2023-32681 | Medium |
future16 | Upgraded to 1.0.0 | CVE-2022-40899 | High |
1 Removed avatica-core from hive-exec
2 Removed guava from hive-exec
3 Removed guava from hive-exec
4 Removed guava from hive-exec
5 Upgrade protobuf-java in hive-exec
6 Upgrade protobuf-java in hive-exec
7 Upgrade protobuf-java in hive-exec
8 Upgrade httpclient in hive-exec
9 Upgraded aiohttp in the Splunk Secure Gateway app, $SPLUNK_HOME/etc/apps/splunk_secure_gateway/lib/aiohttp
10 Upgraded aiohttp in the Splunk Secure Gateway app, $SPLUNK_HOME/etc/apps/splunk_secure_gateway/lib/aiohttp
11 Upgraded urllib3 in the Splunk Secure Gateway app, $SPLUNK_HOME/etc/apps/splunk_secure_gateway/lib/urllib3
12 Upgraded urllib3 in the Splunk Secure Gateway app, $SPLUNK_HOME/etc/apps/splunk_secure_gateway/lib/urllib3
13 Upgraded certifi in the Splunk Secure Gateway app, $SPLUNK_HOME/etc/apps/splunk_secure_gateway/lib/certifi
14 Upgraded idna in the Splunk Secure Gateway app, $SPLUNK_HOME/etc/apps/splunk_secure_gateway/lib/idna
15 Upgraded requests in $SPLUNK_HOME/lib/python3.7/site-packages/requests
16 Upgraded requests in $SPLUNK_HOME/lib/python3.7/site-packages/future
Solution
Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.
Product Status
Product | Version | Component | Affected Version | Fix Version |
---|---|---|---|---|
Splunk Enterprise | 9.2 | 9.2.0 to 9.2.1 | 9.2.2 | |
Splunk Enterprise | 9.1 | 9.1.0 to 9.1.4 | 9.1.5 | |
Splunk Enterprise | 9.0 | 9.0.0 to 9.0.9 | 9.0.10 |
Severity
For the CVEs in this list, Splunk adopted the vendor’s severity rating, when available, or the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating, otherwise.
For CVE-2023-37920, Splunk adopted the vendor’s severity rating. Please refer to GHSA-xqr8-7jwr-rhp7 for more information.
If you do not use Splunk Analytics for Hadoop, Splunk Archiver, Hadoop Data Roll, or Hunk (Legacy) the CVEs impacting the listed java packages (hive-exec, jackson-databind, commons-io, snappy-java, avro-sdk, avatica-core and guava) are informational.
If you disabled or removed Splunk Secure Gateway, the listed CVEs affecting aiohttp, urllib3, and certify are informational.
For pip and wheel, Splunk Enterprise does not utilize the package and is not impacted by the CVE. However, out of an abundance of caution, Splunk updated the package.
Changelog
- 2024-10-03: Added CVE-2022-3510, CVE-2022-3509, and CVE-2022-3171 to fixed. Corrected product fix versions.