Security

Splunk 7.3.0 : Nessus scan vulnerability reported on splunk ports

Saravanakumar
Observer

Observation

The Nessus scan detected few certificate errors on the Splunk ports 8089 (management port), 8000(web-UI) and  8191(MONGOD).  

The certificate errors are

         (1) SSL Self-Signed Certificate,

        (2) SSL Certificate Cannot Be Trusted

        (3) SSL Certificate Signed Using Weak Hashing Algorithm.

The error (1) and (2) are happened due to self signed certificate and the error (3) happened, due to singed with SHA1 algorithm.

Action Taken:

Issue:

For 8089 and 8191,  seems it use the default certificate and keys present in the directory “/opt/splunk/etc/auth/”.

For splunk fresh installation, the default certificates and keys are generated with “sha256WithRSAEncryption”. This looks good.

But, the same splunk version installed few years back is singed with SHA1.  We removed /opt/splunk/etc/auth/server.pem and restarted splunkd. The new server.pem is generated with SHA256.

Questions:

(1) Other server.pem, the remaining various default certificate present in /opt/splunk/etc/auth/ directory are singed with SHA1.  How these can be converted to SHA256.  Can you please help us regarding the procedure for this ?

(2) Can you please clarify which certificate and keys are used for  8089 and 8191 ?

(3) We are Splunk licensed customer. Is splunk team is providing a way to sign and make the certificate trusted?

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...