Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SSL Server Allows Cleartext Communication Vulnerability

jaracan
Communicator
‎02-20-2019 09:44 PM

Hi,

How do we resolve Splunk servers tagged with "SSL Server Allows Cleartext Communication Vulnerability" on port 8000?

Regards,

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-20-2019 10:17 PM

This appears to be triggering because of your cipher suite. What version of Splunk are you currently on?

You can run these commands to find out what ciphers are available to you:

$SPLUNK_HOME/bin/splunk cmd openssl ciphers -v
 $SPLUNK_HOME/bin/splunk cmd openssl ciphers -v "TLSv1.2"
 $SPLUNK_HOME/bin/splunk cmd openssl ciphers -v "HIGH"

You need to check what ciphers are currently allowed for the Splunk UI by running this command:

/opt/splunk/bin/splunk btool web list --debug | grep cipherSuite

Make sure there are no NULL ciphers. If there are you can manually set the cipher list in etc/system/local/web.conf

This is an example from Splunk 7.2:

[settings]
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

If you upgrade your Splunk I feel like this might also solve your issue.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-20-2019 10:17 PM

This appears to be triggering because of your cipher suite. What version of Splunk are you currently on?

You can run these commands to find out what ciphers are available to you:

$SPLUNK_HOME/bin/splunk cmd openssl ciphers -v
 $SPLUNK_HOME/bin/splunk cmd openssl ciphers -v "TLSv1.2"
 $SPLUNK_HOME/bin/splunk cmd openssl ciphers -v "HIGH"

You need to check what ciphers are currently allowed for the Splunk UI by running this command:

/opt/splunk/bin/splunk btool web list --debug | grep cipherSuite

Make sure there are no NULL ciphers. If there are you can manually set the cipher list in etc/system/local/web.conf

This is an example from Splunk 7.2:

[settings]
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

If you upgrade your Splunk I feel like this might also solve your issue.

0 Karma
Reply
Solved! Jump to solution

jaracan
Communicator
‎02-20-2019 10:49 PM

Hi Chris,

I am currently using Splunk version 6.6.5. Do you think it will be resolve if we upgrade to v7.0.8?
I know v7.1.x have some major GUI changes that why we would want to keep it with the same interface for now. Do you think it will eliminate the vulnerability?

Regards,

0 Karma
Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-20-2019 10:53 PM

I think there is a good chance that will probably fix it. You could download that version of Splunk and use the btool command above to check its ciphers vs your current list.

The new Splunk UI is really great and doesn't require too much learning or re-training. I highly recommend it.

0 Karma
Reply
Solved! Jump to solution

jaracan
Communicator
‎02-20-2019 10:55 PM

I ran the command below:
sudo -u splunk /opt/splunk/bin/splunk btool web list --debug | grep cipherSuite

And got this line below for web.conf
cipherSuite = TLSv1.2:!aNULL

0 Karma
Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-20-2019 09:48 PM

Here you go: https://docs.splunk.com/Documentation/Splunk/6.5.0/Security/TurnonbasicencryptionwithSplunkWeb

To enable HTTPS with Splunk Web:

  1. In Splunk Web, select Settings > System > Server settings, and then click General Settings.

  2. Under Splunk Web, for Enable SSL (HTTPS) in Splunk Web, select the Yes radio button. By default, Splunk deployments point to the default certificates when encryption is turned on, so no further action is needed.

  3. Restart Splunk Web.

You must now prepend "https://" to the URL you use to access Splunk Web.

0 Karma
Reply
Solved! Jump to solution

jaracan
Communicator
‎02-20-2019 10:03 PM

Hi Chris, it is already using SSL but still got that vulnerability.

0 Karma
Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-20-2019 10:11 PM

Oh sorry, I understand now. I will add a second answer.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...