Solved: Postgresql on Splunk Enterprise

SeanO_VA

Splunk Enterprise ships with a copy of PostGreSQL. The latest splunk installer, v9.4.1, however still ships with a version of Postgresql 16.0 which has several Security vulnerabilities. Is there a documented way to upgrade the version to 16.7?

Information on the PostgreSQL CVE
https://www.postgresql.org/about/news/postgresql-173-167-1511-1416-and-1319-released-3015/

skurasak1

Just opened a ticket with support they said you can remove the file without problems and I have verified it, it was placed there as future versions are going to use it with patched version and will likely be removed with future versions of 9.14.x until that time. I personally don't like that they are using it, since postgres gets updated all the time and thus having this dependency on your product.

View solution in original post

skurasak1

Just opened a ticket with support they said you can remove the file without problems and I have verified it, it was placed there as future versions are going to use it with patched version and will likely be removed with future versions of 9.14.x until that time. I personally don't like that they are using it, since postgres gets updated all the time and thus having this dependency on your product.

SeanO_VA

Can't thank you enough! The Support ticket was on my todo list all day and kept getting back-burnered. Appreciate the information! Looking forward to rm'ing it in the morning

livehybrid

Hi @SeanO_VA

I would raise via support who will be able to instruct you of if/how you can safely remove postgres, however for what its worth - I havent yet found a feature of 9.4.x which requires the postgres to be configured/running - Is it running on your server?

If it isnt running then it isnt vulnerable to the SQL Injection of the referenced CVEs. It could be that future updates to Splunk require postgres for certain features, in which case I would hope that they've already updated Postgres 🙂

Fingers crossed it is updated for the next release.

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

isoutamo

There are coming some new features in future splunk versions which are using postgresql. Currently some of those are in beta/private preview phase, but I haven't heard that none of those are yet in use.
Are you sure that you have official version where you see PostgreSql?

livehybrid

I am assuming @SeanO_VA is referring to the postgres binaries (pg_* binaries - although may be more) in the $SPLUNK_HOME/bin directory - although for me none are running on my 9.4.1 instance.

In terms of uses in future version of Splunk etc, I suspect it will be highly likely that the patched versions would be included unless there is a good reason not to, at which point it would be time to discuss directly with Support/Account team to determine relevant mitigations.

SeanO_VA

Idea submitted, but with the attitude "Snapshots are our Friend", I'm willing to roll the dice if there's even an unsupported "how-To" out there

Idea: https://ideas.splunk.com/ideas/EID-I-2527

richgalloway

Do not mess with software that ships with Splunk. You may break something and/or lose support.

Open a support case or go to https://ideas.splunk.com to report the vulnerabilities.

---
If this reply helps you, Karma would be appreciated.

Postgresql on Splunk Enterprise

administration

installation

other

upgrade

New This Month - Splunk Observability updates and improvements for faster ...

What's New in Splunk Cloud Platform 9.3.2411?

Buttercup Games: Further Dashboarding Techniques (Part 6)