Splunk Product Security Portal

How to Report a Splunk Vulnerability

About this Portal

The Splunk Product Security Portal serves as the authority for the following:

Subscribe to our RSS feed to be alerted of new announcements.

Splunk Product Security Announcements

November 14, 2017:Splunk Enterprise 7.0.0.1/7.0.1, 6.6.3.2/6.6.4, 6.5.6, 6.4.9 and 6.3.12 address multiple SAML vulnerabilities
October 27, 2017:Splunk response to Potential Local Privilege Escalation via non-root Splunk Installation Instructions
August 21, 2017:Splunk Enterprise 6.6.3 and Splunk Light 6.6.3 address multiple vulnerabilities
June 06, 2017:Splunk Enterprise 6.3.11 and Splunk Light 6.5.3 address one vulnerability
April 24, 2017:Splunk Enterprise 6.4.7 and Splunk Light 6.5.3 address multiple vulnerabilities
April 05, 2017:Splunk response to Path Traversal vulnerability in Splunk Hadoop Connect App
March 30, 2017:Splunk Enterprise 6.5.3, 6.2.13.1 and Splunk Light 6.5.2 address multiple vulnerabilities
February 23, 2017:Splunk Enterprise 6.4.6 and Splunk Light 6.5.2 address one vulnerability
January 25, 2017:Splunk Enterprise 6.2.13 addresses multiple vulnerabilities
December 15, 2016:Splunk Enterprise 6.4.5 addresses multiple vulnerabilities
November 21, 2016:Splunk Enterprise 6.5.1 addresses multiple vulnerabilities
November 10, 2016:Splunk Enterprise 6.5.0, 6.4.4, 6.3.8, 6.2.12, 6.1.12, 6.0.13, and 5.0.17 address multiple vulnerabilities
August 22, 2016:Splunk Enterprise 6.4.3 and Splunk Light 6.4.3 address one vulnerability
July 28, 2016:Splunk Enterprise 6.4.2, 6.3.6, 6.2.11, 6.1.11, 6.0.12, 5.0.16 and Splunk Light 6.4.2 address multiple security vulnerabilities
June 6, 2016:Splunk Enterprise 6.3.5 and Splunk Light 6.3.5 address two vulnerabilities
April 6, 2016:Splunk Enterprise 6.3.3.4, 6.2.9, 6.1.10, 6.0.11, and 5.0.15 and Splunk Light 6.3.3.4 and 6.2.9 address multiple vulnerabilities
November 19, 2015:Splunk Enterprise 6.2.7 addresses one vulnerability
September 14, 2015:Splunk Enterprise 6.2.6 and Splunk Light 6.2.6 address one vulnerability
August 11, 2015:Splunk Enterprise 6.2.5, 6.1.9, 6.0.10, 5.0.14 and Splunk Light 6.2.5 address multiple vulnerabilities
July 7, 2015:Splunk Enterprise 6.2.4 and Splunk Light 6.2.4 address two vulnerabilities
May 27, 2015:Splunk Enterprise 6.1.8, 6.0.9, and 5.0.13 address multiple vulnerabilities
April 30, 2015:Splunk Enterprise 6.2.3 and Splunk Light 6.2.3 address five vulnerabilities
March 24, 2015:Splunk Enterprise 6.1.7, 6.0.8, and 5.0.12 address two vulnerabilities
February 23, 2015:Splunk Enterprise 6.2.2 addresses two vulnerabilities
January 28, 2015:Splunk response to "GHOST" vulnerability (CVE-2015-0235)
January 13, 2015:Splunk response to Janaury 2015 OpenSSL security issues
November 20, 2014:Splunk Enterprise versions 6.0.7 and 5.0.11 address three vulnerabilities
November 11, 2014:Splunk Enterprise 6.1.5 addresses two vulnerabilities
October 14, 2014:Splunk response to SSLv3 "POODLE" vulnerability (CVE-2014-3566)
September 30, 2014:Splunk Enterprise 6.1.4 and 5.0.10 addresses four vulnerabilities
September 29, 2014:Splunk response to "shellshock" vulnerabilities
September 3, 2014:Splunk Enterprise 6.0.6 addresses two vulnerabilities
August 4th, 2014:Splunk Enterprise 6.1.3 addresses two vulnerabilities
July 1st, 2014:Splunk Enterprise 6.1.2, 6.0.5 and 5.0.9 address two vulnerabilities (CCS Injection)
May 9th, 2014:Splunk Enterprise 6.0.4 addresses one vulnerability
April 10th, 2014:Splunk Enterprise 6.0.3 addresses two vulnerabilities (Heartbleed)
March 25th, 2014:Splunk Enterprise 5.0.8 addresses one vulnerability
December 17th, 2013:Splunk Enterprise 6.0.1 addresses one vulnerability
November 20th, 2013:Splunk Enterprise 5.0.6 addresses one vulnerability
September 23rd, 2013:Splunk Enterprise 5.0.5 addresses one vulnerability
July 29th, 2013:Splunk Enterprise 5.0.4 addresses one vulnerability
May 28th, 2013:Splunk Enterprise 5.0.3 addresses multiple vulnerabilities
March 25th, 2013:Splunk Enterprise 4.3.6 addresses one vulnerability
November 16th, 2012:Splunk Enterprise 4.3.5 and 5.0 address three vulnerabilities
November 1st, 2012:Splunk Enterprise 5.0 addresses two vulnerabilities
March 5th, 2012:Splunk Enterprise 4.3.1 addresses one vulnerability
December 12th, 2011:Splunk Enterprise 4.2.5 addresses three vulnerabilities
October 19th, 2011:Splunk Enterprise 4.2.4 addresses two vulnerabilities
August 9th, 2011:Splunk Enterprise 4.2.3 addresses two vulnerabilities
June 15th, 2011:Splunk Enterprise 4.2.2 addresses one vulnerability
April 18th, 2011:Splunk Enterprise 4.2.1 addresses one vulnerability
February 10th, 2011:Splunk Enterprise 4.1.7 addresses five vulnerabilities
December 1st, 2010:Splunk Enterprise 4.1.6 addresses one vulnerability
September 9th, 2010:Splunk Enterprise 4.1.5 addresses two vulnerabilities
June 7th, 2010:Cross-site Scripting in Splunk Web with 404 Responses in Internet Explorer
May 10th, 2010:Vulnerability in Example PAM Authentication Script
May 3rd, 2010:Splunk Enterprise Critical Maintenance Release and Patch

Splunk Product Security Policy

Evaluation:

Splunk maintains a policy of evaluating all potential security vulnerabilities that are discovered internally or externally within two business days of discovery.

Splunk uses the Common Vulnerability Scoring System Version 2 to rate vulnerabilities. CVSSv2 is an industry-standard rating system for security incidents. Scores are calculated using the best available analysis and metrics and are included in all vulnerability announcements.

Fixing:

Splunk maintains the following policy of responsible vulnerability fixing:

  • Splunk releases, including maintenance, minor and major releases, will include cumulative fixes for vulnerabilities that are found, verified and able to be fixed within the timeframe of the release.
  • Splunk will issue releases to fix vulnerabilities for all applicable and supported versions.
  • In the case of critical risk, high impact vulnerabilities, Splunk will make all reasonable effort to expedite maintenance releases for all affected versions.
  • In the case of critical risk, high impact vulnerabilities, Splunk will make all reasonable effort to supply patches, assuming that patches are a viable stop-gap for customers who cannot otherwise upgrade Splunk.

Disclosure

Splunk maintains the following policy of responsible disclosure:

  • Splunk will announce vulnerabilities via www.splunk.com/prodsec and Splunk Product Security Announcements RSS feed.
  • Splunk will not publicly announce security vulnerabilities until fixes are publicly available.
  • For critical risk, high impact vulnerabilities, Splunk may contact customers that are especially vulnerable in order to recommend mitigations in the case that a fix is not yet available.
  • Splunk will not release the exact details of vulnerabilities.

Splunk Product Security Best Practices

Harden all Splunk Instances per Splunk Hardening Standards

Application of some or all of the Splunk Hardening Standards, which are located in the Securing Splunk manual, will help mitigate the risk and impact of most vulnerabilities.

Subscribe to our product security RSS feed

Our RSS feed contains all official product security announcements, and is updated as soon as an announcement is released.

Per the Splunk Product Security Policy, someone will be in touch with you within two business days.