Third-Party Package Updates in Splunk Enterprise - July 2025
Advisory ID: SVD-2025-0710
CVE ID: Multiple
Published: 2025-07-07
Last Update: 2025-07-16
Description
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise versions 9.4.3, 9.3.5, 9.2.7, 9.1.10, and higher, including the following:
| Package | Remediation | CVE | Severity |
|---|---|---|---|
| setuptools1 | Upgraded to 70.0.0 | CVE-2024-6345 | High |
| golang.org/x/crypto2 | Upgraded golang crypto in compsup to 0.37.0 | Multiple | High |
| golang.org/x/crypto | Upgraded golang crypto in identity to 0.36.0 | CVE-2025-22869 | High |
| golang.org/x/crypto3 | Upgraded golang crypto in spl2-orchestrator to 0.36.0 | CVE-2024-45337 | Critical |
| golang.org/x/net4 | Upgraded golang net in compsup to 0.39.0 | CVE-2024-45338 | Medium |
| golang.org/x/net5 | Upgraded golang net in spl2-orchestrator to 0.37.0 | CVE-2024-45338 | Medium |
| golang6 | Upgraded golang in Mongodump to 1.24.2 | Multiple | High |
| golang7 | Upgraded golang in Mongorestore to 1.24.2 | Multiple | High |
| golang | Upgraded golang in spl2-orchestrator to 1.24.0 | Multiple | High |
| Beaker8 | Upgraded to 1.12.1 | CVE-2013-7489 | Medium |
| azure-storage-blob | Upgraded to 12.13.0 | CVE-2022-30187 | Medium |
| OpenSSL | Upgraded to 1.0.2zl | CVE-2024-13176 | Low |
| OpenSSL9 | Upgraded to 1.0.2zl | CVE-2024-9143 | Informational |
| libcurl10 | Upgraded to 8.11.1 | Multiple | High |
1 Upgraded setuptools to version 70.0.0 for Python 3.9 packages located at /opt/splunk/lib/python3.9/site-packages/setuptools
2 Upgraded golang crypto in compsup to 0.37.0 to remedy CVE-2024-45337, CVE-2025-22869, CVE-2025-27414, CVE-2025-22868, CVE-2025-23387, CVE-2025-23389, CVE-2025-23388, CVE-2025-22952, CVE-2025-27414, and CVE-2024-45338 . The compsup binary is not in 9.1.x
3 The spl2-orchestrator binary is not in 9.3.x, 9.2.x, 9.1.x or older
4 The compsup binary is not in 9.1.x
5 The spl2-orchestrator binary is not in 9.3.x, 9.2.x, 9.1.x or older
6 Upgraded golang in Mongodump to 1.24.2 to remedy CVE-2025-22869, CVE-2025-27414, CVE-2025-22868, CVE-2025-23387, CVE-2025-23389, CVE-2025-23388, CVE-2025-22952, CVE-2025-27414, CVE-2024-45338, and CVE-2025-22870
7 Upgraded golang in Mongorestore to 1.24.2 to remedy CVE-2025-22869, CVE-2025-27414, CVE-2025-22868, CVE-2025-23387, CVE-2025-23389, CVE-2025-23388, CVE-2025-22952, CVE-2025-27414, CVE-2024-45338, and CVE-2025-22870
8 Upgraded Beaker Python package to 1.12.1 in 9.2.7 Splunk Enterprise
9 Splunk Enterprise’s and Universal Forwarder’s OpenSSL is not affected by CVE-2024-9143. However, Splunk upgraded OpenSSL to v1.0.2zl to mitigate CVE-2024-13176.
10 Upgraded libcurl to 8.11.1 to remedy CVE-2024-0853, CVE-2024-2398, CVE-2024-2466, CVE-2024-7264, CVE-2024-8096, CVE-2024-9681, CVE-2024-11053, CVE-2025-0167, and CVE-2025-0725.
Solution
Upgrade Splunk Enterprise to versions 9.4.3, 9.3.5, 9.2.7, 9.1.10, or higher.
Product Status
| Product | Base Version | Affected Version | Fix Version |
|---|---|---|---|
| Splunk Enterprise | 9.4 | 9.4.0 to 9.4.2 | 9.4.3 |
| Splunk Enterprise | 9.3 | 9.3.0 to 9.3.4 | 9.3.5 |
| Splunk Enterprise | 9.2 | 9.2.0 to 9.2.6 | 9.2.7 |
| Splunk Enterprise | 9.1 | 9.1.0 to 9.1.9 | 9.1.10 |
Severity
For the CVEs in this list, Splunk adopted the vendor’s severity rating or the National Vulnerability Database (NVD) common vulnerability scoring system (CVSS) rating, as available.
Changelog
- 2025-07-16: Updated the OpenSSL note description with information related to CVE-2024-13176.