https://community.splunk.com/t5/Deployment-Architecture/Splunk-SSL-renegotiation/m-p/89833#M22616 <P>Openssl doesn't consider this an actual vulnerability which is why it hasn't been fixed in v0.9.8x. It's a way of DoS'ing a server by requesting lots of expensive crypto operations. If you have unfettered access to the REST port you can flood Splunk with plenty of other types of requests that consume just as much CPU. </P> <P>Any app that allows an operation like SSL negotiation to an untrusted host is subject to resource exhaustion. The correct answer is to restrict hosts if this is an issue.</P> <P>Note also that if the OS firewall is not enabled, any OS is subject to a DOS through resource exhaustion some how, even if it's just TCP port exhaustion.</P> <P>This was brought up to Engineering in SPL-58707 and the information provided here serves as an official answer on the topic. </P> Thu, 31 Jan 2013 17:57:16 GMT jbsplunk 2013-01-31T17:57:16Z https://community.splunk.com/t5/Deployment-Architecture/Splunk-SSL-renegotiation/m-p/89831#M22614 <P>I got report from Nessus saying Splunk is vulnerable to CVE-2011-1473 - renegotiation DoS over SSLv3.<BR /> How can I fix this?</P> Mon, 15 Oct 2012 11:54:21 GMT https://community.splunk.com/t5/Deployment-Architecture/Splunk-SSL-renegotiation/m-p/89831#M22614 mpavlas 2012-10-15T11:54:21Z https://community.splunk.com/t5/Deployment-Architecture/Splunk-SSL-renegotiation/m-p/89832#M22615 <P>I also have found the same vulnerability after running Nessus Security scan. We are running v4.3.4, is there any update to this issue in v5.0?</P> <P>53491 (1) - SSL / TLS Renegotiation DoS<BR /> Synopsis<BR /> The remote service allows repeated renegotiation of TLS / SSL connections.<BR /> Description<BR /> The remote service encrypts traffic using TLS / SSL and permits clients to renegotiate connections. The computational<BR /> requirements for renegotiating a connection are asymmetrical between the client and the server, with the server<BR /> performing several times more work. Since the remote host does not appear to limit the number of renegotiations<BR /> for a single TLS / SSL connection, this permits a client to open several simultaneous connections and repeatedly<BR /> renegotiate them, possibly leading to a denial of service condition.<BR /> See Also<BR /> <A href="http://orchilles.com/2011/03/ssl-renegotiation-dos.html">http://orchilles.com/2011/03/ssl-renegotiation-dos.html</A><BR /> <A href="http://www.ietf.org/mail-archive/web/tls/current/msg07553.html">http://www.ietf.org/mail-archive/web/tls/current/msg07553.html</A><BR /> Solution<BR /> Contact the vendor for specific patch information.<BR /> Risk Factor<BR /> Medium<BR /> CVSS Base Score<BR /> 4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)<BR /> CVSS Temporal Score<BR /> 3.9 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)<BR /> References<BR /> BID 48626<BR /> CVE CVE-2011-1473<BR /> XREF OSVDB:73894<BR /> Plugin Information:<BR /> Publication date: 2011/05/04, Modification date: 2012/10/04<BR /> Hosts<BR /> 10.20.22.140 (tcp/8089)<BR /> The remote host is vulnerable to renegotiation DoS over TLSv1 / SSLv3.</P> Tue, 29 Jan 2013 20:00:28 GMT https://community.splunk.com/t5/Deployment-Architecture/Splunk-SSL-renegotiation/m-p/89832#M22615 beaumaris 2013-01-29T20:00:28Z https://community.splunk.com/t5/Deployment-Architecture/Splunk-SSL-renegotiation/m-p/89833#M22616 <P>Openssl doesn't consider this an actual vulnerability which is why it hasn't been fixed in v0.9.8x. It's a way of DoS'ing a server by requesting lots of expensive crypto operations. If you have unfettered access to the REST port you can flood Splunk with plenty of other types of requests that consume just as much CPU. </P> <P>Any app that allows an operation like SSL negotiation to an untrusted host is subject to resource exhaustion. The correct answer is to restrict hosts if this is an issue.</P> <P>Note also that if the OS firewall is not enabled, any OS is subject to a DOS through resource exhaustion some how, even if it's just TCP port exhaustion.</P> <P>This was brought up to Engineering in SPL-58707 and the information provided here serves as an official answer on the topic. </P> Thu, 31 Jan 2013 17:57:16 GMT https://community.splunk.com/t5/Deployment-Architecture/Splunk-SSL-renegotiation/m-p/89833#M22616 jbsplunk 2013-01-31T17:57:16Z