We just found SSLv3 "POODLE" vulnerability alerts from our IPS system. And our Splunk Universal Forwarder is in 6.4.2.
I thought the SSLv3 POODLE issue only appear at Splunk version earlier than 6.3?
Should I use the same workaround mention here?
https://answers.splunk.com/answers/176970/is-it-possible-to-disable-ssl-v3-on-the-universal.html
Many thanks in advance.
Can you please have a look at this blog which talks about fixing the poodle vulnerability on Splunk:
http://blogs.splunk.com/2014/10/22/mitigating-the-poodle-attack-in-splunk/
@season88481 - Did the Splunk blog post referenced by gokadroid below help answer to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!
Can you please have a look at this blog which talks about fixing the poodle vulnerability on Splunk:
http://blogs.splunk.com/2014/10/22/mitigating-the-poodle-attack-in-splunk/
So we are not using SSL forwarding between uf and HWF.
The only SSL communication I can think of is the REST connection of 8089. However, since we are not doing any command line or REST request to the uf. So I will try disabling the management port by deploying a server.conf
[httpServer]
disableDefaultPort = true