Security

SSL Server Allows Cleartext Communication Vulnerability

jaracan
Communicator

Hi,

How do we resolve Splunk servers tagged with "SSL Server Allows Cleartext Communication Vulnerability" on port 8000?

Regards,

Tags (2)
0 Karma
1 Solution

chrisyounger
SplunkTrust
SplunkTrust

This appears to be triggering because of your cipher suite. What version of Splunk are you currently on?

You can run these commands to find out what ciphers are available to you:

$SPLUNK_HOME/bin/splunk cmd openssl ciphers -v
 $SPLUNK_HOME/bin/splunk cmd openssl ciphers -v "TLSv1.2"
 $SPLUNK_HOME/bin/splunk cmd openssl ciphers -v "HIGH"

You need to check what ciphers are currently allowed for the Splunk UI by running this command:

/opt/splunk/bin/splunk btool web list --debug | grep cipherSuite

Make sure there are no NULL ciphers. If there are you can manually set the cipher list in etc/system/local/web.conf

This is an example from Splunk 7.2:

[settings]
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 

If you upgrade your Splunk I feel like this might also solve your issue.

View solution in original post

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

This appears to be triggering because of your cipher suite. What version of Splunk are you currently on?

You can run these commands to find out what ciphers are available to you:

$SPLUNK_HOME/bin/splunk cmd openssl ciphers -v
 $SPLUNK_HOME/bin/splunk cmd openssl ciphers -v "TLSv1.2"
 $SPLUNK_HOME/bin/splunk cmd openssl ciphers -v "HIGH"

You need to check what ciphers are currently allowed for the Splunk UI by running this command:

/opt/splunk/bin/splunk btool web list --debug | grep cipherSuite

Make sure there are no NULL ciphers. If there are you can manually set the cipher list in etc/system/local/web.conf

This is an example from Splunk 7.2:

[settings]
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 

If you upgrade your Splunk I feel like this might also solve your issue.

0 Karma

jaracan
Communicator

Hi Chris,

I am currently using Splunk version 6.6.5. Do you think it will be resolve if we upgrade to v7.0.8?
I know v7.1.x have some major GUI changes that why we would want to keep it with the same interface for now. Do you think it will eliminate the vulnerability?

Regards,

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

I think there is a good chance that will probably fix it. You could download that version of Splunk and use the btool command above to check its ciphers vs your current list.

The new Splunk UI is really great and doesn't require too much learning or re-training. I highly recommend it.

0 Karma

jaracan
Communicator

I ran the command below:
sudo -u splunk /opt/splunk/bin/splunk btool web list --debug | grep cipherSuite

And got this line below for web.conf
cipherSuite = TLSv1.2:!aNULL

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

Here you go: https://docs.splunk.com/Documentation/Splunk/6.5.0/Security/TurnonbasicencryptionwithSplunkWeb

To enable HTTPS with Splunk Web:

  1. In Splunk Web, select Settings > System > Server settings, and then click General Settings.

  2. Under Splunk Web, for Enable SSL (HTTPS) in Splunk Web, select the Yes radio button. By default, Splunk deployments point to the default certificates when encryption is turned on, so no further action is needed.

  3. Restart Splunk Web.

You must now prepend "https://" to the URL you use to access Splunk Web.

0 Karma

jaracan
Communicator

Hi Chris, it is already using SSL but still got that vulnerability.

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

Oh sorry, I understand now. I will add a second answer.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...