Splunk has released critical security updates addressing multiple Common Vulnerabilities and Exposures (CVEs) in third-party packages across Enterprise versions 9.4.3, 9.3.5, 9.2.7, 9.1.10, and higher.
Published on July 7, 2025, these updates remediate high-severity vulnerabilities in essential components, including setuptools, golang.org/x/crypto, OpenSSL, and libcurl packages that could potentially compromise system security.
Key Takeaways
1. Splunk addressing critical CVEs in third-party packages across Enterprise versions.
2. Updates include setuptools, golang.org/x/crypto, libcurl (10 CVEs), OpenSSL, and golang runtime components.
3. Upgrade to minimum versions: Enterprise 9.4.3, 9.3.5, 9.2.7, or 9.1.10.
4. All supported Enterprise versions receive appropriate security patches despite some component limitations in older versions.
The security advisory identifies multiple critical and high-severity vulnerabilities requiring immediate attention.
The most critical vulnerability, CVE-2024-45337 with a severity rating of “Critical,” affects golang.org/x/crypto in the spl2-orchestrator component.
This flaw represents a high-severity in the cryptographic implementations used by Go applications, potentially allowing attackers to compromise encrypted communications or bypass security controls.
The vulnerability specifically impacts applications that utilize the golang.org/x/crypto package for cryptographic operations, including encryption, decryption, and secure key management.
In the context of Splunk Enterprise, this CVE affects the spl2-orchestrator component, which handles orchestration tasks within the Splunk platform.
High-severity vulnerabilities include CVE-2024-6345 in setuptools, CVE-2025-22869 in golang.org/x/crypto identity component, and multiple CVEs affecting golang packages in Mongodump and Mongorestore utilities.
The libcurl package presents particularly concerning exposure, with upgrades addressing ten separate CVEs, including CVE-2024-0853, CVE-2024-2398, CVE-2024-2466, CVE-2024-7264, CVE-2024-8096, CVE-2024-9681, CVE-2024-11053, CVE-2025-0167, and CVE-2025-0725.
These vulnerabilities span across different severity levels, with most classified as high-risk, potentially allowing unauthorized access or system compromise.
| Package | Patched Version / Remediation | CVE ID(s) | Severity |
| setuptools | Upgraded to 70.0.0 | CVE-2024-6345 | High |
| golang.org/x/crypto (compsup) | Upgraded to 0.37.0 | CVE-2024-45337, CVE-2025-22869, CVE-2025-27414, CVE-2025-22868, CVE-2025-23387, CVE-2025-23389, CVE-2025-23388, CVE-2025-22952, CVE-2024-45338 | High |
| golang.org/x/crypto (identity) | Upgraded to 0.36.0 | CVE-2025-22869 | High |
| golang.org/x/crypto (spl2-orchestrator) | Upgraded to 0.36.0 | CVE-2024-45337 | Critical |
| golang.org/x/net (compsup) | Upgraded to 0.39.0 | CVE-2024-45338 | Medium |
| golang.org/x/net (spl2-orchestrator) | Upgraded to 0.37.0 | CVE-2024-45338 | Medium |
| golang (Mongodump) | Upgraded to 1.24.2 | CVE-2025-22869, CVE-2025-27414, CVE-2025-22868, CVE-2025-23387, CVE-2025-23389, CVE-2025-23388, CVE-2025-22952, CVE-2024-45338, CVE-2025-22870 | High |
| golang (Mongorestore) | Upgraded to 1.24.2 | CVE-2025-22869, CVE-2025-27414, CVE-2025-22868, CVE-2025-23387, CVE-2025-23389, CVE-2025-23388, CVE-2025-22952, CVE-2024-45338, CVE-2025-22870 | High |
| golang (spl2-orchestrator) | Upgraded to 1.24.0 | Multiple CVEs | High |
| Beaker | Upgraded to 1.12.1 | CVE-2013-7489 | Medium |
| azure-storage-blob | Upgraded to 12.13.0 | CVE-2022-30187 | Medium |
| OpenSSL | Upgraded to 1.0.2zl | CVE-2024-13176 | Low |
| OpenSSL | Upgraded to 1.0.2zl | CVE-2024-9143 | Informational |
| libcurl | Upgraded to 8.11.1 | CVE-2024-0853, CVE-2024-2398, CVE-2024-2466, CVE-2024-7264, CVE-2024-8096, CVE-2024-9681, CVE-2024-11053, CVE-2025-0167, CVE-2025-0725 | High |
Organizations must immediately upgrade to the following minimum versions: Splunk Enterprise 9.4.3 (from 9.4.0-9.4.2), 9.3.5 (from 9.3.0-9.3.4), 9.2.7 (from 9.2.0-9.2.6), or 9.1.10 (from 9.1.0-9.1.9).
It’s important to note that certain binaries like compsup are not present in 9.1.x versions, and spl2-orchestrator is absent from 9.3.x, 9.2.x, 9.1.x, and older versions.
Despite these version-specific limitations, all supported Enterprise versions receive appropriate security patches for their respective components, ensuring comprehensive protection across the deployment ecosystem.
Think like an Attacker, Mastering Endpoint Security With Marcus Hutchins – Register Now
A sophisticated cyber campaign is exploiting the trust users place in popular collaboration software, tricking…
Luxury department store Harrods has disclosed a significant data breach affecting approximately 430,000 customer records…
A newly observed spear-phishing campaign is leveraging sophisticated social engineering lures to distribute DarkCloud, a…
As attackers increasingly leverage Scalable Vector Graphics (SVG) for stealthy code injection, security researchers face…
A sophisticated malware campaign has emerged that weaponizes seemingly legitimate productivity tools to infiltrate systems…
Jaguar Land Rover (JLR) has confirmed it will begin a phased restart of its manufacturing…