Critical SOAR Security Update: Splunk Patches Third-Party Package Vulnerabilities

Splunk has released a comprehensive security advisory addressing multiple critical vulnerabilities in third-party packages within SOAR versions 6.4.0 and 6.4.1.

The advisory, published on July 7, 2025, identifies significant security vulnerabilities across various components including git, Django, cryptography libraries, and JavaScript frameworks that could potentially compromise organizational security operations.

The company has implemented extensive remediation measures and strongly recommends immediate upgrades to version 6.4.1 to address these vulnerabilities.

The security advisory reveals several critical and high-severity vulnerabilities that pose significant risks to SOAR deployments:

Critical Vulnerabilities:

• CVE-2024-32002 in the git package – Required upgrading to version 2.48.1.
• CVE-2024-48949 affecting the @babel/traverse component – Package completely removed in SOAR version 6.4.1 to eliminate risk.

High-Severity Vulnerabilities:

• CVE-2024-45230 in Django framework – Affects Automation Broker component, required upgrading to version 4.2.20.
• CVE-2020-28458 and CVE-2021-23445 in jQuery DataTables – Necessitated upgrade from version 1.10.21 to 1.13.11.
• CVE-2024-45801 and CVE-2024-47875 in DomPurify – Required updating from version 3.0.1 to 3.2.4.
• CVE-2024-21538 in cross-spawn package – Demanded immediate attention and remediation.
• CVE-2024-52804 in tornado framework – High severity rating requiring urgent updates.
• CVE-2024-49767 in werkzeug component – Required upgrading to version 3.0.6.

These vulnerabilities span across multiple critical components including version control systems, web frameworks, JavaScript libraries, and security-related packages, making immediate remediation essential for maintaining secure SOAR operations.

The cross-spawn package vulnerability CVE-2024-21538 and the tornado framework vulnerability CVE-2024-52804 both carried high severity ratings, requiring immediate attention.

Additionally, the werkzeug component presented CVE-2024-49767, another high-severity vulnerability that demanded upgrading to version 3.0.6.

Package Updates and Remediation

Splunk’s remediation strategy involved a systematic approach to updating affected packages across both SOAR versions 6.4.0 and 6.4.1:

Staged Package Upgrades:

• setuptools – Upgraded to version 75.5.0 in SOAR 6.4.0, then further enhanced to version 78.1.0 in version 6.4.1 to address CVE-2024-6345.
• axios – Upgraded to version 1.7.9 in SOAR 6.4.0, subsequently updated to version 1.8.3 in version 6.4.1 to resolve CVE-2024-39338.

Cryptography-Related Updates:

• cryptography package – Updated to version 44.0.1 to address CVE-2024-12797.
• pyOpenSSL – Upgraded to version 24.3.0 to resolve CVE-2024-12797.

Standard Package Upgrades:

• jinja templating engine – Upgraded to version 3.1.4 to resolve CVE-2024-34064.
• @babel/runtime package – Updated to version 7.26.10 to address CVE-2025-27789.

Package Removals:

• wkhtml component – Entirely removed from Automation Broker to eliminate CVE-2022-35583.
• @babel/traverse package – Completely removed in SOAR version 6.4.1.

Configuration Modifications:

• avahi-daemon component – Modified configuration by setting ‘enable-wide-area’ flag to ‘no’ in ‘/etc/avahi/avahi-daemon.conf’ file to mitigate CVE-2024-52616 rather than upgrading.

This comprehensive approach demonstrates Splunk’s commitment to addressing vulnerabilities through multiple remediation strategies, including upgrades, removals, and configuration changes based on the most effective security approach for each component.

Immediate Action Required for SOAR Users

Organizations utilizing Splunk SOAR must prioritize immediate upgrades to version 6.4.1 or higher to protect against these vulnerabilities.

The advisory specifically affects SOAR base version 6.4 installations running versions below 6.4.1, making the upgrade path clearly defined and urgent.

The severity ratings adopted by Splunk follow both vendor assessments and the National Vulnerability Database (NVD) Common Vulnerability Scoring System (CVSS), ensuring consistent risk evaluation.

Given the presence of multiple critical and high-severity vulnerabilities, delayed patching could expose organizations to significant security risks, potentially compromising their security orchestration, automation, and response capabilities.

IT security teams should immediately assess their current SOAR deployments, schedule maintenance windows for upgrades, and implement version 6.4.1 as soon as operationally feasible to maintain robust security postures.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.