Splunk Address Third-Party Packages Vulnerabilities in SOAR Versions

Splunk Address Third-Party Packages Vulnerabilities in SOAR Versions

Splunk has released critical security updates addressing multiple vulnerabilities in third-party packages in SOAR versions 6.4.0 and 6.4. 

Published on July 7, 2025, this comprehensive security update remediates various Common Vulnerabilities and Exposures (CVEs) ranging from medium to critical severity levels. 

The vulnerabilities affect essential components, including git, Django, cryptography libraries, and JavaScript packages, requiring immediate attention from security administrators managing Splunk SOAR deployments.

Google News

Key Takeaways
1. Splunk addresses multiple critical CVEs including CVE-2024-32002 (git) and CVE-2024-48949 (@babel/traverse) in SOAR versions 6.4.0 and 6.4.1.
2. Third-party components upgraded, including Django, cryptography, jQuery DataTables, and wkhtml removal, covering vulnerabilities from critical to medium severity.
3. All SOAR 6.4 installations below version 6.4.1 must immediately upgrade to 6.4.1 or higher.
4. Unpatched vulnerabilities could enable unauthorized access, code execution, and data manipulation across the core SOAR infrastructure.

Critical Vulnerabilities Addressed

The security advisory identifies several critical-severity vulnerabilities that pose immediate risks to SOAR environments. 

CVE-2024-32002 is a critical severity vulnerability affecting the git package. This vulnerability was identified in Splunk SOAR versions 6.4.0 and 6.4.1 and has been remediated through an upgrade to git version 2.48.1. 

The critical severity rating indicates this vulnerability poses significant security risks and requires immediate attention from system administrators.

CVE-2024-48949 represents another critical severity vulnerability, specifically targeting the @babel/traverse package. 

In Splunk SOAR version 6.4.0, this vulnerability was addressed by upgrading the package to version 7.26.7. 

However, in the subsequent SOAR version 6.4.1, Splunk took the more decisive approach of completely removing the @babel/traverse package to eliminate the vulnerability entirely.

High-Severity Issues

High-severity vulnerabilities include CVE-2024-45230 in Django, CVE-2024-21538 in cross-spawn, CVE-2024-52804 in tornado, CVE-2022-35583 wkhtml vulnerability, CVE-2024-6345 in Setuptools, CVE-2024-39338 in Axios JavaScript library and CVE-2024-49767 in Werkzeug WSGI utility library.

These vulnerabilities could potentially allow unauthorized access, code execution, or data manipulation within the SOAR environment.

Package Patched Version / Remediation CVE ID(s) Severity
git Upgrade to v2.48.1 CVE-2024-32002 Critical
@babel/runtime Upgraded to v7.26.10 CVE-2025-27789 Medium
django Upgraded to v4.2.20 in Automation Broker CVE-2024-45230 High
cryptography Upgraded to v44.0.1 CVE-2024-12797 Medium
pyOpenSSL Upgraded to v24.3.0 CVE-2024-12797 Medium
jquery.datatables Upgraded to v1.13.11 CVE-2020-28458, CVE-2021-23445 High
DomPurify Upgraded to v3.2.4 CVE-2024-45801, CVE-2024-47875 High
wkhtml Removed from Automation Broker CVE-2022-35583 High
cross-spawn Upgraded to v7.0.6 CVE-2024-21538 High
@babel/traverse Upgraded to v7.26.7 (removed in v6.4.1) CVE-2024-48949 Critical
setuptools Upgraded to v75.5.0 (v6.4.0) / v78.1.0 (v6.4.1) CVE-2024-6345 High
axios Upgraded to v1.7.9 (v6.4.0) / v1.8.3 (v6.4.1) CVE-2024-39338 High
jinja Upgraded to v3.1.4 CVE-2024-34064 Medium
tornado Upgraded to v6.4.2 CVE-2024-52804 High
avahi-daemon Set enable-wide-area to ‘no’ in config CVE-2024-52616 Medium
werkzeug Upgraded to v3.0.6 CVE-2024-49767 High

Organizations must immediately upgrade to Splunk SOAR version 6.4.1 or higher to remediate all identified vulnerabilities. 

The advisory affects all SOAR base version 6.4 installations below 6.4.1, making this update essential for maintaining security posture.

System administrators should prioritize this update due to the presence of multiple critical and high-severity CVEs. 

Organizations should schedule maintenance windows promptly to deploy these critical security patches and protect their SOAR environments from potential exploitation.

Think like an Attacker, Mastering Endpoint Security With Marcus Hutchins – Register Now


Source link