Third-Party Package Updates in Splunk Enterprise - December 2024
Advisory ID: SVD-2024-1206
CVE ID: Multiple
Published: 2024-12-10
Last Update: 2024-12-10
Description
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise versions 9.1.7, 9.2.4, and 9.3.2, and higher, including the following:
| Package | Remediation | CVE | Severity |
|---|---|---|---|
| Apache Common Compress1 | Upgraded to 1.26.2 | Multiple | Medium |
| io.airlift:aircompressor2 | Removed | CVE-2024-36114 | High |
| go-grpc-compression3 | Upgraded to 1.2.3 | CVE-2024-36129 | High |
| /go.opentelemetry.io/collector/config/confighttp4 | Upgraded to 0.106.1 | CVE-2024-36129 | High |
| /go.opentelemetry.io/collector/config/configgrpc5 | Upgraded to 0.106.1 | CVE-2024-36129 | High |
| OpenSSL6 | Upgraded to 1.0.2zk | CVE-2024-5535 | Informational |
| node.js7 | Applied patch to 8.17.0 | CVE-2021-44531 | NA |
| path-to-regexp8 | Upgrade to 1.9.0 | CVE-2024-45296 | High |
| micromatch9 | Upgraded to 4.0.8 | CVE-2024-4067 | Medium |
| micromatch10 | Upgraded to 4.0.8 | CVE-2024-4067 | Medium |
| elliptic11 | Upgraded to 6.5.7 | Multiple | High |
| bootstrap12 | Removed | CVE-2024-6531 | Medium |
1 Upgraded $SPLUNK_HOME/bin/jars/thirdparty/common/commons-compress-1.21.jar from 1.21 to 1.26.2 to remedy CVE-2024-26308 and CVE-2024-25710
2 Splunk Enterprise removed the $SPLUNK_HOME/bin/jars/thirdparty/hive_4_0/hive-exec-4.0.0.jar/META-INF/maven/io.airlift library from hive-exec
3 Upgraded $SPLUNK_HOME/bin/compsup/github.com/mostynb/go-grpc-compression from 1.2.0 to 1.2.3
4 Upgraded $SPLUNK_HOME/bin/compsup/go.opentelemetry.io/collector/config/confighttp from 0.83.0 to 0.106.1.
5 Upgraded $SPLUNK_HOME/bin/compsup/go.opentelemetry.io/collector/config/configgrpc from 0.83.0 to 0.106.1.
6 CVE-2024-5535 does not affect Splunk Enterprise. The OpenSSL implementation does not call SSL_select_next_proto and does not use the affected functionality. However, out of an abundance of caution, Splunk upgraded it.
7 To remedy CVE-2021-44531, Splunk manually applied the patch to node.js version 8.17.0. The patch disabled URI SAN type during hostname verfication. Now, it will ignore the entries of URI type and only considers DNS names and IP Address for verification.
8 Upgraded path-to-regexp in Splunk Secure Gateway from 1.8.0 to 1.9.0 and downgraded the library from 6.2.2 to 1.9.0 in SplunkWeb.
9 Upgraded micromatch in Splunk Monitoring Console from 3.1.10 to 4.0.8.
10 Upgraded micromatch in Splunk Secure Gateway from 4.0.5 to 4.0.8
11 Upgraded elliptic in Splunk Monitoring Console from 6.5.4 to 6.5.7 to remedy CVE-2024-42459, CVE-2024-42460 and CVE-2024-42461.
12 Splunk Monitoring Console removed the bootstrap dependency.
Solution
Upgrade Splunk Enterprise to versions 9.1.7, 9.2.4, 9.3.2, or higher.
Product Status
| Product | Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 9.3 | 9.3.0 to 9.3.1 | 9.3.2 | |
| Splunk Enterprise | 9.2 | 9.2.0 to 9.2.3 | 9.2.4 | |
| Splunk Enterprise | 9.1 | 9.1.0 to 9.1.6 | 9.1.7 |
Severity
For the CVEs in this list, Splunk adopted the severity rating that the vendor published.