Security

SSL Server Allows Cleartext Communication Vulnerability

jaracan
Communicator

Hi,

How do we resolve Splunk servers tagged with "SSL Server Allows Cleartext Communication Vulnerability" on port 8000?

Regards,

Tags (2)
0 Karma
1 Solution

chrisyounger
SplunkTrust
SplunkTrust

This appears to be triggering because of your cipher suite. What version of Splunk are you currently on?

You can run these commands to find out what ciphers are available to you:

$SPLUNK_HOME/bin/splunk cmd openssl ciphers -v
 $SPLUNK_HOME/bin/splunk cmd openssl ciphers -v "TLSv1.2"
 $SPLUNK_HOME/bin/splunk cmd openssl ciphers -v "HIGH"

You need to check what ciphers are currently allowed for the Splunk UI by running this command:

/opt/splunk/bin/splunk btool web list --debug | grep cipherSuite

Make sure there are no NULL ciphers. If there are you can manually set the cipher list in etc/system/local/web.conf

This is an example from Splunk 7.2:

[settings]
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 

If you upgrade your Splunk I feel like this might also solve your issue.

View solution in original post

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

This appears to be triggering because of your cipher suite. What version of Splunk are you currently on?

You can run these commands to find out what ciphers are available to you:

$SPLUNK_HOME/bin/splunk cmd openssl ciphers -v
 $SPLUNK_HOME/bin/splunk cmd openssl ciphers -v "TLSv1.2"
 $SPLUNK_HOME/bin/splunk cmd openssl ciphers -v "HIGH"

You need to check what ciphers are currently allowed for the Splunk UI by running this command:

/opt/splunk/bin/splunk btool web list --debug | grep cipherSuite

Make sure there are no NULL ciphers. If there are you can manually set the cipher list in etc/system/local/web.conf

This is an example from Splunk 7.2:

[settings]
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 

If you upgrade your Splunk I feel like this might also solve your issue.

View solution in original post

0 Karma

jaracan
Communicator

Hi Chris,

I am currently using Splunk version 6.6.5. Do you think it will be resolve if we upgrade to v7.0.8?
I know v7.1.x have some major GUI changes that why we would want to keep it with the same interface for now. Do you think it will eliminate the vulnerability?

Regards,

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

I think there is a good chance that will probably fix it. You could download that version of Splunk and use the btool command above to check its ciphers vs your current list.

The new Splunk UI is really great and doesn't require too much learning or re-training. I highly recommend it.

0 Karma

jaracan
Communicator

I ran the command below:
sudo -u splunk /opt/splunk/bin/splunk btool web list --debug | grep cipherSuite

And got this line below for web.conf
cipherSuite = TLSv1.2:!aNULL

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

Here you go: https://docs.splunk.com/Documentation/Splunk/6.5.0/Security/TurnonbasicencryptionwithSplunkWeb

To enable HTTPS with Splunk Web:

  1. In Splunk Web, select Settings > System > Server settings, and then click General Settings.

  2. Under Splunk Web, for Enable SSL (HTTPS) in Splunk Web, select the Yes radio button. By default, Splunk deployments point to the default certificates when encryption is turned on, so no further action is needed.

  3. Restart Splunk Web.

You must now prepend "https://" to the URL you use to access Splunk Web.

0 Karma

jaracan
Communicator

Hi Chris, it is already using SSL but still got that vulnerability.

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

Oh sorry, I understand now. I will add a second answer.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.