Security
Highlighted

SSL Server Allows Cleartext Communication Vulnerability

Communicator

Hi,

How do we resolve Splunk servers tagged with "SSL Server Allows Cleartext Communication Vulnerability" on port 8000?

Regards,

Tags (2)
0 Karma
Highlighted

Re: SSL Server Allows Cleartext Communication Vulnerability

SplunkTrust
SplunkTrust

Here you go: https://docs.splunk.com/Documentation/Splunk/6.5.0/Security/TurnonbasicencryptionwithSplunkWeb

To enable HTTPS with Splunk Web:

  1. In Splunk Web, select Settings > System > Server settings, and then click General Settings.

  2. Under Splunk Web, for Enable SSL (HTTPS) in Splunk Web, select the Yes radio button. By default, Splunk deployments point to the default certificates when encryption is turned on, so no further action is needed.

  3. Restart Splunk Web.

You must now prepend "https://" to the URL you use to access Splunk Web.

0 Karma
Highlighted

Re: SSL Server Allows Cleartext Communication Vulnerability

Communicator

Hi Chris, it is already using SSL but still got that vulnerability.

0 Karma
Highlighted

Re: SSL Server Allows Cleartext Communication Vulnerability

SplunkTrust
SplunkTrust

Oh sorry, I understand now. I will add a second answer.

0 Karma
Highlighted

Re: SSL Server Allows Cleartext Communication Vulnerability

SplunkTrust
SplunkTrust

This appears to be triggering because of your cipher suite. What version of Splunk are you currently on?

You can run these commands to find out what ciphers are available to you:

$SPLUNK_HOME/bin/splunk cmd openssl ciphers -v
 $SPLUNK_HOME/bin/splunk cmd openssl ciphers -v "TLSv1.2"
 $SPLUNK_HOME/bin/splunk cmd openssl ciphers -v "HIGH"

You need to check what ciphers are currently allowed for the Splunk UI by running this command:

/opt/splunk/bin/splunk btool web list --debug | grep cipherSuite

Make sure there are no NULL ciphers. If there are you can manually set the cipher list in etc/system/local/web.conf

This is an example from Splunk 7.2:

[settings]
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 

If you upgrade your Splunk I feel like this might also solve your issue.

View solution in original post

0 Karma
Highlighted

Re: SSL Server Allows Cleartext Communication Vulnerability

Communicator

Hi Chris,

I am currently using Splunk version 6.6.5. Do you think it will be resolve if we upgrade to v7.0.8?
I know v7.1.x have some major GUI changes that why we would want to keep it with the same interface for now. Do you think it will eliminate the vulnerability?

Regards,

0 Karma
Highlighted

Re: SSL Server Allows Cleartext Communication Vulnerability

SplunkTrust
SplunkTrust

I think there is a good chance that will probably fix it. You could download that version of Splunk and use the btool command above to check its ciphers vs your current list.

The new Splunk UI is really great and doesn't require too much learning or re-training. I highly recommend it.

0 Karma
Highlighted

Re: SSL Server Allows Cleartext Communication Vulnerability

Communicator

I ran the command below:
sudo -u splunk /opt/splunk/bin/splunk btool web list --debug | grep cipherSuite

And got this line below for web.conf
cipherSuite = TLSv1.2:!aNULL

0 Karma