My apologies.  I recalled a selector where one could choose the terminal emulation, but I must have been thinking of a different program.

The setting in question is "Terminal-type string" in Connection->Data.  Enter a value from your system's termcap or terminfo file for a terminal type that does not support ANSI sequences.  Your Linux system admin should be able to assist with the choice.

I have one more question after discussing internally
        Is there a way/mechanism available to identify if the splunk log files are effected and if possible isolate
        Please let me know if there is any tool/script which is already available ?

Thanks in advance

I am not aware of a method to determine if the vulnerability has already been exploited.  In theory, you should search for fragments of ANSI escape sequences using SPL (the vulnerability applies only to the CLI), but don't know what one would search for since Splunk and other site have few details available.

Thanks for response.

Based on articles/links and interactions with other members. 

Note: Below workaround solution varies based on deployment (attack surface)  for other setups

Simple/Minimal solution I see as of now:

---------------------------------------------------------------------------------------

Summary:

      Issue: Unauthenticated Log Injection in Splunk Enterprise

      Attack Surface : Not straight forward (There is minimal scope of any injection from Splunk Enterprise setup as it has been configured for few restricted users)

            Link: https://community.splunk.com/t5/Deployment-Architecture/How-to-disable-the-ability-to-process-ANSI-e...

      Workaround:  Ask end user to use “less” command instead of “cat”/”tail” commands to access splunk logs ( To be on safer side) in terminal.

----------------------------------------------------------------------------------------

Please let me know anything else needs to be added for workaround. 

Please feel free to correct if I am missing anything during understanding

Hi

you should disable at least:

• Disable remote-controlled window title changing
• And definitely keep Response to remote title query as None or Empty string

As said on other replies your users should use less instead of cat/tail/more etc. Another option is use "cat -vet" instead of pure cat.

As @richgalloway said you could/should use some other terminal value e.g. dummy or something else which cannot use ANSI codes. Of course you lost quite a many terminal's features with this way....

r. Ismo

Probably none of those.  Go to the Terminal setting and choose an emulation that does not support ANSI character sequences.  Be aware that different emulators have varying (or sometime no) support for applications that write to random screen locations (like full-screen editors and programs like top).