Splunk 9.0.5 FAQ
This FAQ addresses expected questions regarding Splunk's June 2023 security advisories that can be addressed by upgrading to Splunk Enterprise 9.0.5. For our Splunk Cloud Platform customers, Splunk will address these fixes as applicable. See our Splunk Product Security page for the most up-to-date information and subscribe to get timely updates.
General FAQs for all customers
What products are affected by the vulnerabilities mentioned in the Security Advisories?
The Splunk products that are affected by the identified vulnerabilities are listed in each Security Advisory. See the Splunk Product Security page for the list. The advisories released on June 1, 2023 affect Splunk Enterprise and Splunk Cloud Platform.
Will Splunk release a patch for earlier supported versions of Splunk Enterprise and Universal Forwarders? Do you plan to backport the security updates to Splunk 8.1.x or 8.2.x versions?
Yes. Each advisory details the affected and fixed versions. See the Splunk Product Security page for more information.
What vulnerabilities were disclosed?
See the Splunk Product Security page for more information.
Have the vulnerabilities been fully remedied and made available to customers?
Splunk released patches for Splunk Enterprise in the 9.0, 8.2, and 8.1 releases where applicable. For Splunk Cloud Platform, the fixed versions appear in each advisory.
Do I need to configure anything to remedy any of these advisories?
No, it requires no additional customer action other than to upgrade if you are using Splunk Enterprise.
How severe are the vulnerabilities?
These vulnerabilities range from low to high severity and must be carefully evaluated. Review the individual advisories on the Splunk Product Security page as well as any applicable mitigations listed in each advisory.
Do the vulnerabilities affect the Universal Forwarder (UF)?
Refer to the advisories on the Splunk Product Security page, which lists the components where applicable.
Do the vulnerabilities affect heavy forwarders?
Refer to the advisories on the Splunk Product Security page which lists the components where applicable.
What can I do to detect the vulnerabilities?
Splunk provided detections through the Splunk Enterprise Security Content Updates (ESCU) application to detect the potential exploitation of these vulnerabilities in customer environments. Customers with Splunk Enterprise Security will get ESCU update notices, but detections need to be enabled on their stack/tenant for these notifications.
Do the vulnerabilities affect older or unlisted versions of the Splunk platform?
Splunk has not tested or verified the impact of vulnerabilities on versions it does not support. Review Splunk’s Support Policy for currently supported versions.
Are these vulnerabilities being actively exploited? Has Splunk identified any indication of a security incident, compromise, or breach related to these vulnerabilities? Has Splunk identified any customers that have been affected by the vulnerabilities? How do I know Splunk/my Splunk Cloud Platform deployment/my Splunk Enterprise host was not compromised by these vulnerabilities?
There is no evidence of exploitation of the vulnerabilities by any external parties.
Are there other vulnerabilities Splunk is aware of and has not disclosed? What is your disclosure policy?
Splunk follows industry best practices to discover and remedy vulnerabilities before disclosure. For Splunk’s disclosure policy, see Product Security at Splunk.
Why is Splunk releasing the Security Advisories now?
For more information on the timing of vulnerability disclosures and security advisories, refer to the Splunk Product Security page.
What procedures did Splunk conduct to evaluate the impact?
Splunk executed its standard threat and vulnerability management procedure, which includes a comprehensive analysis for indications of potential compromise.
Did Splunk change the design or implement enhanced measures in its secure product development practice as a result of identifying these vulnerabilities?
No. Splunk did not change the design of its controls related to its secure product development process, patch management, and deployment.
Who identified these vulnerabilities?
Refer to the Acknowledgement section of each advisory on the Splunk Product Security page.
Where can I, as a customer, get more information?
If you need additional assistance, leverage your standard Splunk Customer Support channels, create a new support case, or work with your account team.
Splunk Enterprise deployments
What is the upgrade path? Do I need to already be on 9.0 to move to 9.0.5?
Refer to the upgrade path information for 9.0.x as described in the Installation Manual in the Splunk Documentation.
I can’t upgrade my Splunk Enterprise deployment right now. What are my mitigations?
Refer to the individual advisories on Splunk Product Security for any applicable mitigations.
How can I tell in Splunk Enterprise which version I am running?
For help with identifying your Splunk Enterprise version, refer to Determine which version of Splunk Enterprise you're running.
Splunk Cloud Platform deployments
Is Splunk Cloud Platform affected by these vulnerabilities?
Yes. Refer to the Splunk Product Security page for more information.
When will Splunk update my Splunk Cloud Platform deployment and enable the fixes?
Due to the complexity and potential impact of fully remedying a deployment, roll out requires careful planning and coordination as to not disrupt customers. Check with your account team for current scheduling. Each advisory also lists any applicable mitigations.
How can I tell in Splunk Cloud Platform if I have been upgraded?
For help identifying your Splunk Cloud Platform version, refer to Determine which version of Splunk Enterprise you're running.