Solved: Postgresql on Splunk Enterprise

SeanO_VA · ‎03-19-2025

Splunk Enterprise ships with a copy of PostGreSQL. The latest splunk installer, v9.4.1, however still ships with a version of Postgresql 16.0 which has several Security vulnerabilities. Is there a documented way to upgrade the version to 16.7?

Information on the PostgreSQL CVE
https://www.postgresql.org/about/news/postgresql-173-167-1511-1416-and-1319-released-3015/

skurasak1 · ‎03-20-2025

Just opened a ticket with support they said you can remove the file without problems and I have verified it, it was placed there as future versions are going to use it with patched version and will likely be removed with future versions of 9.14.x until that time. I personally don't like that they are using it, since postgres gets updated all the time and thus having this dependency on your product.

View solution in original post

skurasak1 · ‎03-20-2025

Just opened a ticket with support they said you can remove the file without problems and I have verified it, it was placed there as future versions are going to use it with patched version and will likely be removed with future versions of 9.14.x until that time. I personally don't like that they are using it, since postgres gets updated all the time and thus having this dependency on your product.

flakshack · ‎05-07-2025

Agree 100%. Hope they consider implementing a self-updating feature if they expect to have the frequency of updates that come along with postgresql.

SeanO_VA · ‎03-20-2025

Can't thank you enough! The Support ticket was on my todo list all day and kept getting back-burnered. Appreciate the information! Looking forward to rm'ing it in the morning

livehybrid · ‎03-19-2025

Hi @SeanO_VA

I would raise via support who will be able to instruct you of if/how you can safely remove postgres, however for what its worth - I havent yet found a feature of 9.4.x which requires the postgres to be configured/running - Is it running on your server?

If it isnt running then it isnt vulnerable to the SQL Injection of the referenced CVEs. It could be that future updates to Splunk require postgres for certain features, in which case I would hope that they've already updated Postgres 🙂

Fingers crossed it is updated for the next release.

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

isoutamo · ‎03-19-2025

There are coming some new features in future splunk versions which are using postgresql. Currently some of those are in beta/private preview phase, but I haven't heard that none of those are yet in use.
Are you sure that you have official version where you see PostgreSql?

livehybrid · ‎03-19-2025

I am assuming @SeanO_VA is referring to the postgres binaries (pg_* binaries - although may be more) in the $SPLUNK_HOME/bin directory - although for me none are running on my 9.4.1 instance.

In terms of uses in future version of Splunk etc, I suspect it will be highly likely that the patched versions would be included unless there is a good reason not to, at which point it would be time to discuss directly with Support/Account team to determine relevant mitigations.

SeanO_VA · ‎03-19-2025

Idea submitted, but with the attitude "Snapshots are our Friend", I'm willing to roll the dice if there's even an unsupported "how-To" out there

Idea: https://ideas.splunk.com/ideas/EID-I-2527

richgalloway · ‎03-19-2025

Do not mess with software that ships with Splunk. You may break something and/or lose support.

Open a support case or go to https://ideas.splunk.com to report the vulnerabilities.

---
If this reply helps you, Karma would be appreciated.

Postgresql on Splunk Enterprise

administration

installation

other

upgrade

Can’t make it to .conf25? Join us online!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Are you a member of the Splunk Community?