Splunk 9.0.1 FAQ
This FAQ addresses the most commonly asked questions from Splunk's August 2022 security advisories that can be addressed by upgrading to Splunk Enterprise 9.0.1. For our Splunk Cloud Platform customers, Splunk will address many of these fixes. See our Splunk Product Security page for the most up-to-date information and subscribe to get timely updates.
General questions for all customers
What products are affected by the vulnerabilities mentioned in the Security Advisories?
The Splunk products that were affected by the identified vulnerabilities are listed in each Security Advisory. See the Splunk Product Security page for the list. The advisories released on Aug 16, 2022, affect Splunk Enterprise, Universal Forwarders, and the Splunk Cloud Platform.
Why were the advisories not made available as planned on August 2?
As we work to refine our security advisory process, feedback from customers is key. To create the best possible customer experience, we have adjusted the timing of our quarterly advisory announcement to August 16 to align with our product release cycle. We remain focused on ensuring customers on premise and in the cloud are patched and protected.
Will Splunk release a patch for earlier Splunk Enterprise and UF supported versions? Do you plan to backport the security updates to Splunk 8.1.x or 8.2.x versions?
Yes. Each advisory details the affected and fixed versions. Please note that SVD-2022-0801 only impacts 9.0 and SVD-2022-0803 does not impact 9.0.
- What vulnerabilities were disclosed?
See the Splunk Product Security page for more information.
Have the vulnerabilities been fully remedied? Are fixes available to customers?
Splunk released patches for Splunk Enterprise and Universal Forwarders in the 9.0, 8.1, and 8.2 release where applicable. For Splunk Cloud Platform, the fixed versions are listed in each advisory.
Do I need to configure anything to remedy any of these advisories?
No, it requires no additional customer action other than upgrade for Splunk Enterprise and UF upgrade only for Splunk Cloud Platform.
- How severe or impactful are the vulnerabilities?
These vulnerabilities range from low to high severity and should be carefully evaluated. Please review the individual advisories on the Splunk Product Security page as well as any applicable mitigations listed in each advisory.
Do the vulnerabilities affect Universal Forwarders?
Yes. SVD-2022-0803 and SVD-2022-0804 affect UFs.
Do the vulnerabilities affect heavy-weight forwarders (HWF)?
Refer to the advisories on the Product Security, which lists the components where applicable.
- What can I do to detect the vulnerabilities?
Splunk provided detections through the Splunk Enterprise Security Content Updates (ESCU) application to detect the potential exploitation of these vulnerabilities in customer environments. Customers with Splunk Enterprise Security will get ESCU update notices, but detections will need to be enabled on their stack/tenant for these notifications.
- Do the vulnerabilities affect older or unlisted versions of the Splunk platform?
Splunk has not tested or verified the impact on non-supported versions.
Are these vulnerabilities being actively exploited? Has Splunk identified any indication of a security incident, compromise, or breach related to these vulnerabilities? Has Splunk identified any customers that have been affected by the vulnerabilities? How do I know Splunk, my Splunk Cloud Platform deployment, or my Splunk Enterprise host was not compromised by these vulnerabilities?
There is no evidence of exploitation of the vulnerabilities by any external parties.
- Are there other vulnerabilities Splunk is aware of and has not disclosed? What is your disclosure policy?
Splunk follows industry best practices to discover and remedy vulnerabilities before disclosure. For Splunk’s disclosure policy, see Product Security at Splunk.
Why is Splunk releasing the Security Advisories now?
For more information on the timing of vulnerability disclosures and security advisories, please refer to the Splunk Product Security page.
What procedures did Splunk conduct to evaluate the impact?
Splunk executed its standard threat and vulnerability management procedure, which includes a comprehensive analysis for indications of potential compromise.
Did Splunk change the design or implement enhanced measures in its secure product development practice as a result of identifying these vulnerabilities?
No. Splunk did not change the design of its controls related to its secure product development process, patch management, and deployment.
Who discovered these vulnerabilities?
Splunk is constantly performing internal vulnerability testing and working with partners to discover potential vulnerabilities in our products. We have worked to responsibly disclose these issues to ensure they were validated, tested, and resolved for our customers.
Where can I get more information?
If you need additional assistance, please leverage your standard Splunk Customer Support channels, create a new support case, or work with your account team.
Splunk Enterprise deployments
What is the upgrade path? Do I need to already be on 9.0 to move to 9.0.1?
Refer to the upgrade path information for 9.0.x as described in the Installation Manual.
I can’t upgrade my Splunk Enterprise deployment right now. What are my mitigations?
Please refer to the individual advisories on Splunk Product Security for any applicable mitigations.
How can I tell in Splunk Enterprise which version I am running?
For help with identifying your Splunk Enterprise version, please refer to “Determine which version of Splunk Enterprise you're running”.
Splunk Cloud Platform deployments
Is Splunk Cloud Platform affected by these vulnerabilities?
Yes. SVD-2022-0802 and SVD-2022-0804 affect Splunk Cloud Platform.
When will Splunk update my Splunk Cloud Platform deployment and enable the fixes?
Due to the complexity and potential impact of fully remediating a deployment, roll out requires careful planning and coordination as to not disrupt customers. We aim to patch all customer deployments on a regular release train by mid-October 2022. Any applicable mitigations are also listed in each advisory.
How can I tell in Splunk Cloud Platform if I have been upgraded?
For help identifying your Splunk Cloud Platform version, please refer to “Determine which version of Splunk Enterprise you're running”.