Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN360

_____________________________________________________________________

DATE                : 13/06/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Splunk Third-Party Packages.

=====================================================================
https://advisory.splunk.com/advisories/SVD-2025-0606
https://advisory.splunk.com/advisories/SVD-2025-0605
_____________________________________________________________________

Third-Party Package Updates in Splunk Machine Learning Toolkit - June 2025

Advisory ID: SVD-2025-0606

CVE ID:  Multiple

Published: 2025-06-12

Last Update: 2025-06-12


Description

Splunk remedied common vulnerabilities and exposures (CVEs) in Third
Party Packages in Splunk Machine Learning Toolkit (MLTK) version
5.6.0 including the following:

Package         Remediation        CVE               Severity

cross-spawn     Upgraded to v7.0.5	CVE-2024-21538     High
serialize-javascript  Upgraded to v6.0.2  CVE-2024-11831   Medium
dompurify	 Upgraded to v3.2.4       CVE-2025-26791   Medium
nanoid           Upgraded to v3.3.8       CVE-2024-55565   Medium
elliptic         Upgraded to v6.6.0       CVE-2024-48948   Medium
@babel/runtime   Upgraded to v7.26.10     CVE-2025-27789   Medium
Solution

Upgrade Splunk Machine Learning Toolkit (MLTK) to version 5.6.0
or higher.

For Splunk Machine Learning Toolkit (MLTK), upgrading Python for
Scientific Computing (PSC) to version 4.2.3 requires updating MLTK
to version 5.6.0 or higher. See
https://docs.splunk.com/Documentation/MLApp/latest/User/Upgrade for
upgrade help and
https://docs.splunk.com/Documentation/MLApp/latest/User/Installandconfigure
for more information on the version compatibility.


Product Status

Product          Base Version    Affected Version   Fix Version

Splunk Machine Learning Toolkit (MLTK)	5.6	Below 5.6.0	5.6.0


Severity

For the CVEs in this list, Splunk adopted the vendor’s severity
rating or the National Vulnerability Database (NVD) common
vulnerability scoring system (CVSS) rating, as available.

_____________________________________________________________________

Third-Party Package Updates in Python for Scientific Computing - June 2025

Advisory ID: SVD-2025-0605

CVE ID:  Multiple

Published: 2025-06-12

Last Update: 2025-06-12


Description

Splunk remedied common vulnerabilities and exposures (CVEs) in Third
Party Packages in Python for Scientific Computing versions 4.2.3 or
3.2.3 and higher including the following:

Package	Remediation	CVE	Severity

OpenSSL	Upgraded to v3.4.1	CVE-2024-12797	Low
onnx	Upgraded to v1.17.0	Multiple	Critical
jinja2	Upgraded to v3.1.6	Multiple	Medium
pytorch	Upgraded to v2.6.0	CVE-2025-32434	Critical


Solution

Upgrade Python for Scientific Computing (PSC) to version 4.2.3 or
3.2.3 or higher.

For Splunk Machine Learning Toolkit (MLTK), upgrading PSC to version
4.2.3 requires updating MLTK to version 5.6.0 or higher. See
https://docs.splunk.com/Documentation/MLApp/latest/User/Upgrade for
upgrade help and
https://docs.splunk.com/Documentation/MLApp/latest/User/Installandconfigure
for more information on the version compatibility.

For Splunk IT Service Intelligence (ITSI), upgrading PSC to version 4.2.3
might cause problems with ITSI Predictive Analytics. After an upgrade of
PSC, ITSI Predictive Analytics models might require retraining. See
https://docs.splunk.com/Documentation/ITSI/latest/SI/ManageModel for more
information.


Product Status

Product	Base Version	Affected Version	Fix Version
Python for Scientific Computing (for Linux 64-bit)	4.2	4.2.2	4.2.3
Python for Scientific Computing (for Mac Apple Silicon)	4.2	4.2.2	4.2.3
Python for Scientific Computing (for Mac Intel)	4.2	4.2.2	4.2.3
Python for Scientific Computing (for Windows 64-bit)	4.2	4.2.2	4.2.3
Python for Scientific Computing (for Linux 64-bit)	3.2	3.2.2	3.2.3
Python for Scientific Computing (for Mac Apple Silicon)	3.2	3.2.2	3.2.3
Python for Scientific Computing (for Mac Intel)	3.2	3.2.2	3.2.3
Python for Scientific Computing (for Windows 64-bit)	3.2	3.2.2	3.2.3


Severity

For the CVEs in this list, Splunk adopted the vendor’s severity rating
or the National Vulnerability Database (NVD) common vulnerability
scoring system (CVSS) rating, as available.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================