Getting Data In

security - ssl rest api not closed on /dev/zero stream input

lmcphpe
Engager

If you run the command
openssl s_client -connect ip:port < /dev/zero 2>&1
towards the rest api (port 8089) with ssl enabled, the tcp connection stays up forever after ssl handshake is done.

is there a way to mitigate this vulnerability?

aaraneta_splunk
Splunk Employee
Splunk Employee

@lmcphpe - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.

0 Karma

jtacy
Builder

This reminds me of the Slowloris [https://en.wikipedia.org/wiki/Slowloris_(computer_security)] attack that takes advantage of web servers that can't handle a lot of open connections. I haven't tested to see how vulnerable Splunk is but I would seriously consider placing some kind of reverse proxy in front of any user-facing services. I'm sure nginx is a popular option for this but if you already have F5 load balancers you may be able to use HTTP and OneConnect profiles to separate the client and server side connections. I'm sure other load balancers have similar options.

0 Karma

dwaddle
SplunkTrust
SplunkTrust

I would suggest that you look at how to report a possible vulnerability at https://www.splunk.com/page/securityportal. Report it there, and the ProdSec team will review as needed and get back to you.

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

<P style=" text-align: center; "><span class="lia-inline-image-display-wrapper lia-image-align-center" ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

<FONT size="5"><FONT size="5" color="#FF00FF">Get the latest news and updates from the Splunk Community ...