Installation

Upgrade of OpenSSL due to MitM potential

rkilen
Explorer

I have received a vulnerability report indicating a MitM exploit was successful against ports 8000, 8089 and 9997 on our Splunk servers and some (probably all) forwarders. The resolution is to update to 1.0.2h (or 1.0.1t, which doesn't apply) or higher. Please let me know if I need to provide more detail for Splunk to upgrade the version of openssl to close this vulnerability.

More details:
Synopsis
It was possible to obtain sensitive information from the remote host with TLS-enabled services.

Description

The remote host is affected by a man-in-the-middle (MitM) information disclosure vulnerability due to an error in the implementation of ciphersuites that use AES in CBC mode with HMAC-SHA1 or HMAC-SHA256.
The implementation is specially written to use the AES acceleration available in x86/amd64 processors (AES-NI). The error messages returned by the server allow a man-in-the-middle attacker to conduct a padding oracle attack, resulting in the ability to decrypt network traffic.

Resolution:
UPgrade OpenSSL to 1.01.x or higher

Solution
Upgrade to OpenSSL version 1.0.1t / 1.0.2h or later.

Labels (1)
0 Karma

ppablo
Retired

Hi @rkilen

Another user asked a question earlier this week about this. Thanks for providing more details for the Splunk community to be aware of.
https://answers.splunk.com/answers/418323/when-will-splunk-address-the-openssl-vulnerability.html

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...