On July 7, 2025, Splunk announced the release of critical security updates for its Security Orchestration, Automation, and Response (SOAR) platform, specifically targeting versions 6.4.0 and 6.4.1. These updates address multiple vulnerabilities in third-party packages, with severity levels ranging from medium to critical. The affected components include essential libraries and tools such as git, Django, cryptography, and various JavaScript packages. Security administrators managing Splunk SOAR deployments are urged to apply these updates promptly to mitigate potential risks.
Key Vulnerabilities Addressed:
1. CVE-2024-32002 (git): A critical vulnerability in the git package has been identified in Splunk SOAR versions 6.4.0 and 6.4.1. This issue has been resolved by upgrading git to version 2.48.1. The critical severity rating underscores the necessity for immediate action to prevent potential security breaches.
2. CVE-2024-48949 (@babel/traverse): Another critical vulnerability affecting the @babel/traverse package was addressed in version 6.4.0 by upgrading to version 7.26.7. In version 6.4.1, Splunk opted to remove the @babel/traverse package entirely, thereby eliminating the vulnerability.
Additional High-Severity Vulnerabilities:
– CVE-2024-45230 (Django): This high-severity vulnerability in the Django framework has been mitigated by upgrading to version 4.2.20 within the Automation Broker component.
– CVE-2024-21538 (cross-spawn): A high-severity issue in the cross-spawn package has been addressed by upgrading to version 7.0.6.
– CVE-2024-52804 (tornado): The tornado package vulnerability has been resolved by upgrading to version 6.4.2.
– CVE-2022-35583 (wkhtml): To address this high-severity vulnerability, the wkhtml component has been removed from the Automation Broker.
– CVE-2024-6345 (Setuptools): The Setuptools package has been upgraded to version 75.5.0 in version 6.4.0 and to version 78.1.0 in version 6.4.1 to remediate this high-severity issue.
– CVE-2024-39338 (Axios): The Axios JavaScript library has been updated to version 1.7.9 in version 6.4.0 and to version 1.8.3 in version 6.4.1 to address this vulnerability.
– CVE-2024-49767 (Werkzeug): The Werkzeug WSGI utility library has been upgraded to version 3.0.6 to mitigate this high-severity vulnerability.
Medium-Severity Vulnerabilities:
– CVE-2025-27789 (@babel/runtime): This medium-severity vulnerability has been addressed by upgrading the @babel/runtime package to version 7.26.10.
– CVE-2024-12797 (cryptography and pyOpenSSL): Both the cryptography and pyOpenSSL packages have been upgraded to versions 44.0.1 and 24.3.0, respectively, to remediate this medium-severity issue.
– CVE-2024-34064 (jinja): The jinja package has been updated to version 3.1.4 to address this vulnerability.
– CVE-2024-52616 (avahi-daemon): The avahi-daemon configuration has been modified by setting ‘enable-wide-area’ to ‘no’ to mitigate this medium-severity issue.
Recommendations for Administrators:
Organizations utilizing Splunk SOAR versions 6.4.0 and 6.4.1 are strongly advised to upgrade to version 6.4.1 or higher immediately. Unpatched vulnerabilities could potentially allow unauthorized access, code execution, and data manipulation within the core SOAR infrastructure. By applying these updates, administrators can ensure the security and integrity of their SOAR environments.
