Third-Party Package Updates in Python for Scientific Computing - August 2024
Advisory ID: SVD-2024-0801
CVE ID: Multiple
Published: 2024-08-12
Last Update: 2024-08-12
Description
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Python for Scientific Computing version 4.2.1 including the following:
| Package | Remediation | CVE | Severity |
|---|---|---|---|
| idna | Upgraded to 3.7 | CVE-2024-3651 | Medium |
| bottle | Upgraded to 0.12.23 | CVE-2020-28473 | Medium |
| bottle | Upgraded to 0.12.23 | CVE-2022-31799 | Critical |
| future | Upgraded to 0.18.3 | CVE-2022-40899 | High |
| scipy | Upgraded to 1.10.0 | CVE-2023-25399 | Medium |
| pydantic | Upgraded to 1.10.13 | CVE-2024-3772 | Medium |
| onnx | Upgraded to 1.16.0 | CVE-2022-25882 | High |
| onnx | Upgraded to 1.16.0 | CVE-2024-27318 | High |
| onnx | Upgraded to 1.16.0 | CVE-2024-27319 | Medium |
| numpy | Upgraded to 1.23.0 | CVE-2021-34141 | Medium |
| urllib3 | Upgraded to 1.26.19 | CVE-2024-37891 | Medium |
| urllib3 | Upgraded to 1.26.19 | CVE-2023-45803 | Medium |
| urllib3 | Upgraded to 1.26.19 | CVE-2023-43804 | Medium |
| torch | Upgraded to 2.2.2 | CVE-2022-45907 | Critical |
| torch | Upgraded to 2.2.2 | CVE-2024-31583 | High |
| torch | Upgraded to 2.2.2 | CVE-2024-31580 | High |
| requests | Upgraded to 2.32.3 | CVE-2024-35195 | Medium |
| certifi | Upgraded to 2024.7.4 | CVE-2023-37920 | Medium |
| openssl | Upgraded to 3.3.1 | CVE-2023-5678 | Medium |
| transformers | Upgraded to 4.38.1 | CVE-2023-7018 | High |
| transformers | Upgraded to 4.38.1 | CVE-2023-6730 | High |
| transformers | Upgraded to 4.38.1 | CVE-2024-3568 | Low |
| transformers | Upgraded to 4.38.1 | CVE-2023-2800 | Medium |
| tqdm | Upgraded to 4.66.4 | CVE-2024-34062 | Medium |
| setuptools1 | Upgraded to 70.0.0 | CVE-2024-6345 | High |
| setuptools2 | Upgraded to 70.0.0 | CVE-2022-40897 | Medium |
| scikit-learn | Upgraded to 1.5.1 | CVE-2024-5206 | Medium |
| scikit-learn | Upgraded to 1.5.1 | CVE-2020-28975 | High |
1 Python for Scientific Computing (for Windows 64-bit) is not affected by CVE-2024-6345
2 Python for Scientific Computing (for Windows 64-bit) is not affected by CVE-2022-40897
Solution
Upgrade Python for Scientific Computing (PSC) to version 4.2.1 or higher.
For Splunk Machine Learning Toolkit (MLTK), upgrading PSC to 4.2.1 requires updating MLTK to 5.4.2 or higher. Upgrading MLTK to 5.4.2 may require retraining models. See Upgrade the Splunk Machine Learning Toolkit for help upgrading and Install the Splunk Machine Learning Toolkit for more information on the version compatibility.
For Splunk IT Service Intelligence (ITSI), upgrading PSC to 4.2.1 may cause errors with ITSI Predictive Analytics. After upgrading, ITSI Predictive Analytics models may require retraining. See Retrain a predictive model in ITSI for more information.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Python for Scientific Computing (for Linux 64-bit) | 4.2 | 4.2.0 | 4.2.1 | |
| Python for Scientific Computing (for Mac Apple Silicon) | 4.2 | 4.2.0 | 4.2.1 | |
| Python for Scientific Computing (for Mac Intel) | 4.2 | 4.2.0 | 4.2.1 | |
| Python for Scientific Computing (for Windows 64-bit) | 4.2 | 4.2.0 | 4.2.1 |
Severity
For the CVEs in this list, Splunk adopted the vendor’s severity rating or the National Vulnerability Database (NVD) common vulnerability scoring system (CVSS) rating, as available.