Splunk Product Security Portal
OpenSSL "Heartbleed" Security Updates
April 10th, 2014: Splunk has fixed and made available for download a 6.0.3 maintenance release to address two vulnerabilities found in OpenSSL. Read more on our latest blog post.
How to Report a Splunk Vulnerability
About this Portal
The Splunk Product Security Portal serves as the authority for the following:
- Splunk Product Security Announcements
- Splunk Product Security Policy
- Splunk Product Security Best Practices
Splunk Product Security Announcements
- April 10, 2014: Splunk 6.0.3 addresses two vulnerabilities
- March 25, 2014: Splunk 5.0.8 addresses one vulnerability
- December 17, 2013: Splunk 6.0.1 addresses one vulnerability
- November 20, 2013: Splunk 5.0.6 addresses one vulnerability
- September 23rd, 2013: Splunk 5.0.5 addresses one vulnerability
- July 29th, 2013: Splunk 5.0.4 addresses one vulnerability
- May 28th, 2013: Splunk 5.0.3 addresses multiple vulnerabilities
- March 25th, 2013: Splunk 4.3.6 addresses one vulnerability
- November 16th, 2012: Splunk 4.3.5 and 5.0 address three vulnerabilities
- November 1st, 2012: Splunk 5.0 updates to python 2.7.3, addressing two vulnerabilities
- March 5th, 2012: Splunk 4.3.1 addresses one vulnerability
- December 12th, 2011: Splunk 4.2.5 addresses three vulnerabilities
- October 19th, 2011: Splunk 4.2.4 addresses two vulnerabilities
- August 9th, 2011: Splunk 4.2.3 addresses two vulnerabilities
- June 15th, 2011: Splunk 4.2.2 addresses open redirect in Splunk Web
- April 18th, 2011: Splunk 4.2.1 addresses one security vulnerability
- February 10th, 2011: Splunk 4.1.7 addresses five security vulnerabilities
- December 1st, 2010: Splunk 4.1.6 updates OpenSSL to 0.9.8p address CVE-2010-3864
- September 9th, 2010: Splunk 4.1.5 addresses two security vulnerabilities
- June 7th, 2010: Cross-site Scripting in Splunk Web with 404 Responses in Internet Explorer
- May 10th, 2010: Vulnerability in Example PAM Authentication Script
- May 3rd, 2010: Splunk Critical Maintenance Release and Patch
Stay up to date on security announcements. Subscribe to our RSS feed to be alerted of new announcements.
Splunk Product Security Policy
Splunk maintains a policy of evaluating all potential security vulnerabilities that are discovered internally or externally within 48 hours of discovery.
Splunk uses the Common Vulnerability Scoring System Version 2 to rate vulnerabilities. CVSSv2 is an industry-standard rating system for security incidents. Scores are calculated using the best available analysis and metrics and are included in all vulnerability announcements.
Splunk maintains the following policy of responsible vulnerability fixing:
- Splunk releases, including maintenance, minor and major releases, will include cumulative fixes for vulnerabilities that are found, verified and able to be fixed within the timeframe of the release.
- Splunk will issue releases to fix vulnerabilities for all applicable and supported versions.
- In the case of critical risk, high impact vulnerabilities, Splunk will make all reasonable effort to expedite maintenance releases for all affected versions.
- In the case of critical risk, high impact vulnerabilities, Splunk will make all reasonable effort to supply patches, assuming that patches are a viable stop-gap for customers who cannot otherwise upgrade Splunk.
Splunk maintains the following policy of responsible disclosure:
- Splunk will announce vulnerabilities via, www.splunk.com, Splunk Product Security Announcements and CVE.
- Splunk will not publicly announce security vulnerabilities until fixes are publicly available.
- For critical risk, high impact vulnerabilities, Splunk may contact customers that are especially vulnerable in order to recommend mitigations in the case that a fix is not yet available.
- Splunk will not release the exact details of vulnerabilities.
Splunk Product Security Best Practices
Harden all Splunk Instances per Splunk Hardening Standards
Subscribe to our product security RSS feed
Our RSS feed contains all official product security announcements, and is updated as soon as an announcement is released.
Per the Splunk Product Security Policy, someone will be in touch with you within 48 hours of receipt of your communication.