topic Re: security - ssl rest api not closed on /dev/zero stream input in Getting Data In

security - ssl rest api not closed on /dev/zero stream input

lmcphpe — Sat, 04 Feb 2017 12:45:30 GMT

If you run the command
openssl s_client -connect ip:port < /dev/zero 2>&1
towards the rest api (port 8089) with ssl enabled, the tcp connection stays up forever after ssl handshake is done.

is there a way to mitigate this vulnerability?

Re: security - ssl rest api not closed on /dev/zero stream input

dwaddle — Tue, 07 Feb 2017 15:23:31 GMT

I would suggest that you look at how to report a possible vulnerability at https://www.splunk.com/page/securityportal. Report it there, and the ProdSec team will review as needed and get back to you.

Re: security - ssl rest api not closed on /dev/zero stream input

jtacy — Tue, 07 Feb 2017 23:47:27 GMT

This reminds me of the Slowloris [https://en.wikipedia.org/wiki/Slowloris_(computer_security)] attack that takes advantage of web servers that can't handle a lot of open connections. I haven't tested to see how vulnerable Splunk is but I would seriously consider placing some kind of reverse proxy in front of any user-facing services. I'm sure nginx is a popular option for this but if you already have F5 load balancers you may be able to use HTTP and OneConnect profiles to separate the client and server side connections. I'm sure other load balancers have similar options.

Re: security - ssl rest api not closed on /dev/zero stream input

aaraneta_splunk — Sat, 11 Mar 2017 17:12:16 GMT

@lmcphpe - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.