Splunk Protects
Learn about how Splunk keeps your data secure and private in its offerings and how it deploys Security by Design particularly in hosted services.
Report a Security Vulnerability
If you're a professional security researcher that discovered a vulnerability in a Splunk Product or Service, submit your findings to us
Critical Security Alerts, Quarterly Security Patches, and Third Party Bulletins
This page lists announcements of security fixes made in Critical Security Alerts, Quarterly Security Patch Updates, and Third Party Bulletins.
Critical Security Alerts
Splunk will publish out-of-band advisories for vulnerabilities that are time-sensitive as soon as possible.
Quarterly Security Patch Updates
Security Patch Updates are collections of security fixes for supported versions of Splunk products. Any Security Patch Updates released are made available to our customers.
Security Patch Updates are published on the first Tuesday of Splunk’s fiscal quarter. The next three dates are:
| SVD | Date | Title | Severity | CVE |
|---|---|---|---|---|
| SVD-2022-0507 | May 3, 2022 | Error message discloses internal path | Medium | CVE-2022-26070 |
| SVD-2022-0506 | May 3, 2022 | Path Traversal in search parameter | High | CVE-2022-26889 |
| SVD-2022-0505 | May 3, 2022 | Reflected XSS in a query parameter | High | CVE-2022-27183 |
| SVD-2022-0504 | May 3, 2022 | Bypass of DUO MFA | High | CVE-2021-26253 |
| SVD-2022-0503 | May 3, 2022 | S2S TcpToken authentication bypass | High | CVE-2021-31559 |
| SVD-2022-0502 | May 3, 2022 | Username enumeration | Medium | CVE-2021-33845 |
| SVD-2022-0501 | May 3, 2022 | Local privilege escalation in Splunk Enterprise Windows | High | CVE-2021-42743 |
For archived security announcements, go to the Security Announcements Archive.
Third-Party Bulletins
Third-Party Bulletins announce security patches for third-party software. Splunk publishes Third Party Bulletins on the same day as Critical Security Alerts or Quarterly Security Patch Updates.
| SVD | Date | Title | Severity | CVE |
|---|---|---|---|---|
| NA | January 7, 2022 | Splunk Security Advisory for Apache Log4j | Critical | CVE-2021-44228, CVE-2021-45046 |
Policy on information provided in Critical Security Alert and Security Patch Updates
Splunk continuously monitors for vulnerabilities discovered through scans, offensive exercises, employees or externally reported by vendors or researchers. Splunk follows industry best practices to discover and remediate vulnerabilities. To report a security vulnerability, please submit to the Security Vulnerability Submission Portal.
Splunk will not provide additional information about the specifics of vulnerabilities beyond what is provided in the Critical Security Alert or the Security Patch Update. Splunk does not distribute active exploit code (i.e. proof of concept code) for vulnerabilities in our products.
Applicability of Critical Security Alerts and Quarterly Security Updates
The Splunk teams regularly evaluate Critical Security Alerts, Quarterly Security Patch Updates and Third Party bulletins as they become available and apply the relevant patches in accordance with applicable change management processes.
Customers requiring additional information that is not addressed in the Critical Patch Update Advisory may obtain information by going to the Support Portal and submitting a New Case.
