This page lists announcements of security fixes made in Critical Security Alerts, Quarterly Security Patch Updates, and Third Party Bulletins.
Splunk will publish out-of-band advisories for vulnerabilities that are time-sensitive as soon as possible.
|SVD-2022-0608||June 14, 2022||Deployment servers allow client publishing of bundles||Critical||CVE-2022-32158|
|SVD-2022-0607||June 14, 2022||Deployment servers allow unauthenticated bundle access||High||CVE-2022-32157|
|SVD-2022-0606||June 14, 2022||Splunk Enterprise and UF CLI connections lacked TLS cert...||High||CVE-2022-32156|
|SVD-2022-0605||June 14, 2022||UF management services allows remote login by default||NA||CVE-2022-32155|
|SVD-2022-0604||June 14, 2022||Risky commands warnings in dashboards||Medium||CVE-2022-32154|
|SVD-2022-0603||June 14, 2022||Splunk Enterprise lacked TLS host name certificate validat...||High||CVE-2022-32153|
|SVD-2022-0602||June 14, 2022||Splunk Enterprise lacked TLS certificate validation for S2S...||High||CVE-2022-32152|
|SVD-2022-0601||June 14, 2022||Splunk Enterprise disabled TLS validation using the CA cer...||High||CVE-2022-32151|
|SVD-2022-0301||March 24, 2022||Indexer denial-of-service via malformed S2S request||High||CVE-2021-3422|
Security Updates are collections of security fixes for supported versions of Splunk products. We plan to create Security Patch Updates and make them available through scheduled cloud releases or on-premises maintenance releases for supported versions of Splunk products at the time of the quarterly advisory disclosure. When patches can not be backported due to technical feasibility or otherwise, we will publish mitigation and additional compensating control guidance.
Security Patch Updates are typically published on the first Tuesday of Splunk’s fiscal quarter. The next three planned dates are:
|SVD-2022-0803||August 16, 2022||Malformed ZIP file crash via file monitoring input||Medium||CVE-2022-37439|
|SVD-2022-0802||August 16, 2022||Information disclosure via the dashboard drilldown||Low||CVE-2022-37438|
|SVD-2022-0801||August 16, 2022||Ingest Actions UI disabled TLS certificate validation||High||CVE-2022-37437|
|SVD-2022-0507||May 3, 2022||Error message discloses internal path||Medium||CVE-2022-26070|
|SVD-2022-0506||May 3, 2022||Path Traversal in search parameter||High||CVE-2022-26889|
|SVD-2022-0505||May 3, 2022||Reflected XSS in a query parameter||High||CVE-2022-27183|
|SVD-2022-0504||May 3, 2022||Bypass of DUO MFA||High||CVE-2021-26253|
|SVD-2022-0503||May 3, 2022||S2S TcpToken authentication bypass||High||CVE-2021-31559|
|SVD-2022-0502||May 3, 2022||Username enumeration||Medium||CVE-2021-33845|
|SVD-2022-0501||May 3, 2022||Local privilege escalation in Splunk Enterprise Windows||High||CVE-2021-42743|
For archived security announcements, go to the Security Announcements Archive.
Third-Party Bulletins announce security patches for third-party software. Splunk publishes Third Party Bulletins on the same day as Critical Security Alerts or Quarterly Security Patch Updates.
|SVD-2022-0804||August 16, 2022||August Third Party Package updates in Splunk Enterprise and UFs||Medium|
|NA||January 7, 2022||Apache Log4j CVE-2021-44228, and CVE-2021-45046||Critical|
Splunk continuously monitors for vulnerabilities discovered through scans, offensive exercises, employees or externally reported by vendors or researchers. Splunk follows industry best practices to discover and remediate vulnerabilities. To report a security vulnerability, please submit to the Security Vulnerability Submission Portal.
Splunk will not provide additional information about the specifics of vulnerabilities beyond what is provided in the Critical Security Alert or the Security Patch Update. Splunk does not distribute active exploit code (i.e. proof of concept code) for vulnerabilities in our products.
The Splunk teams regularly evaluate Critical Security Alerts, Quarterly Security Patch Updates and Third Party bulletins as they become available and apply the relevant patches in accordance with applicable change management processes.
Customers requiring additional information that is not addressed in the Critical Patch Update Advisory may obtain information by going to the Support Portal and submitting a New Case.