Monitoring Splunk

Splunk Security Finding

khusain_splunk
Splunk Employee
Splunk Employee

Hi,

Please update us if the HTTP OPTIONS can be disabled? What are the affected ports?

Vulnerability Name: HTTP OPTIONS Method Enabled
Description: Web servers that respond to the OPTIONS HTTP method expose what other methods are supported by the web server, allowing attackers to narrow and intensify their efforts.
Remediation: Disable HTTP OPTIONS method on the web server.

Tags (1)
0 Karma

woodcock
Esteemed Legend

You have not given us the source of this report. We have no reason to believe that it is accurate and we do not have enough details about what they think the vulnerability is to help you mitigate. Why did you not post ALL of the details, including the link to this claim?

0 Karma

khusain_splunk
Splunk Employee
Splunk Employee

Hi,

At the moment, the OPTIONS HTTP method cannot be disabled on the Splunk server (tcp/8089). It is enabled for Cross-Origin Resource Sharing (CORS) purpose. However, there are ways to handle this outside of Splunk. You can simply run an Apache or Nginx server to block requests from clients with OPTIONS HTTP method.

It seems to me that an attacker could just an easily try all HTTP methods to see which ones respond; thus blocking this one method seems unlikely to reduce risk much.

You can try changing the port 8089 to something else.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!