Security

Splunk 8.0.0: Sensitive Information disclosure?

randre
New Member

I have got a pentest results with the following :

It was possible to access those endpoints unauthenticated :

https://x.x.x.x/en-US/config
https://x.x.x.x/en-GB/config
https://x.x.x.x/en-US/info
https://x.x.x.x/en-US/paths
https://x.x.x.x/en-us/lists
https://x.x.x.x/en-US/embed 

Is it really a vulnerability ? They said that it's config data, not public data so it should not be visible.

How can we remove those endpoints from being reached unauthenticated ?

 

Labels (2)
Tags (3)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The pentest is one opinion; yours is another.  You know more about Splunk so your opinion should count for more.  If you believe the information disclosed is not a problem then you should be able to convince your company to accept that over the pentest results.

The endpoints should be documented in the REST API manual, but that will detail the requests and responses.  It won't say "this is not a vulnerability".  It's up to you to make that decision.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

randre
New Member

Is it the REST API though ?

Like I said I was not able to find documentation about those endpoints.

Sounds silly but if you can find it that would great... (and would also be troublesome for me).

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I said it should be in the REST API manual, not that it is.  If you find an endpoint that is not documented then consider submitting feedback on the API manual so it can be included.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Perhaps your firewall can be used to restrict access to those endpoints.  They'll still be open, but the risk will be lower.

The acceptFrom attribute in server.conf may help limit access to the endpoints.

You can try setting requireAuthentication = true in restmap.conf, but I don't know if this will do what you want.  Try it on a test system first.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

randre
New Member

Thanks

requireAuthentication defaults to true anyway so it should not fix my issue.

And I have to keep acceptFrom *

My problem is that I don't find documentation about those endpoints so I am not even sure it's a security issue.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try the endpoints yourself to see what they return.  If you don't like what comes out then it's a security issue.  😀

---
If this reply helps you, an upvote would be appreciated.
0 Karma

randre
New Member

Yeah I checked those and I am fine with them.

The problem is that according to a pentest, it publicly exposes config data.

So I now need to show that it is actually fine (but not finding docs for that is not helping) or I need to block those URLs.

Looks like it is not possible via configuration and I would really like not having to keep a set of rules on the network devices.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!