Third-Party Package Updates in Splunk Enterprise - July 2024

Advisory ID: SVD-2024-0718

CVE ID: Multiple

Published: 2024-07-01

Last Update: 2024-10-03

Description

Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise versions 9.2.2, 9.1.5, 9.0.10 and higher, including the following:

Package	Remediation	CVE	Severity
jackson-databind	Upgraded to 1.16.1	CVE-2023-35116	Medium
commons-io	Upgraded to 2.15.1	CVE-2021-29425	Medium
snappy-java	Upgraded to 1.1.10.5	CVE-2023-43642	High
snappy-java	Upgraded to 1.1.10.5	CVE-2023-34453	Medium
snappy-java	Upgraded to 1.1.10.5	CVE-2023-34454	Medium
snappy-java	Upgraded to 1.1.10.5	CVE-2023-34455	High
avro-sdk	Upgraded to 1.11.3	CVE-2023-39410	High
avatica-core₁	Removed	CVE-2022-36364	High
guava₂	Removed	CVE-2020-8908	Low
guava₃	Removed	CVE-2023-2976	Medium
guava₄	Removed	CVE-2018-10237	Medium
protobuf-java₅	Upgraded to 3.24.4	CVE-2022-3509	High
protobuf-java₆	Upgraded to 3.24.4	CVE-2022-3171	High
protobuf-java₇	Upgraded to 3.24.4	CVE-2022-3510	High
httpclient₈	Upgraded to 4.15.3	CVE-2020-13956	Medium
aiohttp₉	Upgraded to 3.8.6	CVE-2023-37276	Medium
aiohttp₁₀	Upgraded to 3.8.6	CVE-2023-47627	Medium
urllib3₁₁	Upgraded to 2.0.7	CVE-2023-43804	Medium
urllib3₁₂	Upgraded to 2.0.7	CVE-2023-45803	Medium
certifi₁₃	Upgraded to 2024.2.2	CVE-2023-37920	Low
idna₁₄	Upgraded to 3.7	CVE-2024-3651	Medium
pip	Upgraded to 24.0	CVE-2023-5752	Informational
setuptools	Upgraded to 65.5.1	CVE-2022-40897	Medium
pygments	Upgraded to 2.15.1	CVE-2022-40896	Medium
wheel	Upgraded to 0.41.2	CVE-2022-40898	Informational
requests₁₅	Upgraded to 2.31.0	CVE-2023-32681	Medium
future₁₆	Upgraded to 1.0.0	CVE-2022-40899	High

₁ Removed avatica-core from hive-exec

₂ Removed guava from hive-exec

₃ Removed guava from hive-exec

₄ Removed guava from hive-exec

₅ Upgrade protobuf-java in hive-exec

₆ Upgrade protobuf-java in hive-exec

₇ Upgrade protobuf-java in hive-exec

₈ Upgrade httpclient in hive-exec

₉ Upgraded aiohttp in the Splunk Secure Gateway app, $SPLUNK_HOME/etc/apps/splunk_secure_gateway/lib/aiohttp

₁₀ Upgraded aiohttp in the Splunk Secure Gateway app, $SPLUNK_HOME/etc/apps/splunk_secure_gateway/lib/aiohttp

₁₁ Upgraded urllib3 in the Splunk Secure Gateway app, $SPLUNK_HOME/etc/apps/splunk_secure_gateway/lib/urllib3

₁₂ Upgraded urllib3 in the Splunk Secure Gateway app, $SPLUNK_HOME/etc/apps/splunk_secure_gateway/lib/urllib3

₁₃ Upgraded certifi in the Splunk Secure Gateway app, $SPLUNK_HOME/etc/apps/splunk_secure_gateway/lib/certifi

₁₄ Upgraded idna in the Splunk Secure Gateway app, $SPLUNK_HOME/etc/apps/splunk_secure_gateway/lib/idna

₁₅ Upgraded requests in $SPLUNK_HOME/lib/python3.7/site-packages/requests

₁₆ Upgraded requests in $SPLUNK_HOME/lib/python3.7/site-packages/future

Solution

Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.

Product Status

Product	Version	Affected Version	Fix Version
Splunk Enterprise	9.2	9.2.0 to 9.2.1	9.2.2
Splunk Enterprise	9.1	9.1.0 to 9.1.4	9.1.5
Splunk Enterprise	9.0	9.0.0 to 9.0.9	9.0.10

Severity

For the CVEs in this list, Splunk adopted the vendor’s severity rating, when available, or the national vulnerability database (NVD) common vulnerability scoring system (CVSS) rating, otherwise.

For CVE-2023-37920, Splunk adopted the vendor’s severity rating. Please refer to GHSA-xqr8-7jwr-rhp7 for more information.

If you do not use Splunk Analytics for Hadoop, Splunk Archiver, Hadoop Data Roll, or Hunk (Legacy) the CVEs impacting the listed java packages (hive-exec, jackson-databind, commons-io, snappy-java, avro-sdk, avatica-core and guava) are informational.

If you disabled or removed Splunk Secure Gateway, the listed CVEs affecting aiohttp, urllib3, and certify are informational.

For pip and wheel, Splunk Enterprise does not utilize the package and is not impacted by the CVE. However, out of an abundance of caution, Splunk updated the package.

Changelog

2024-10-03: Added CVE-2022-3510, CVE-2022-3509, and CVE-2022-3171 to fixed. Corrected product fix versions.