Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Vulnerability in compression algorithm

Zhanali
Path Finder
‎07-15-2024 01:18 AM

Hi all!

We deployed Splunk Cluster on OEL 8. The latest version is currently installed - 9.2.2. The vulnerability scanner found a vulnerabilities on all servers related to the compression algorithm:

Secure Sockets Layer/Transport Layer Security (SSL/TLS) Compression Algorithm Information Leakage Vulnerability

Affected objects:

port 8089/tcp over SSL

port 8191/tcp over SSL

port 8088/tcp over SSL

SOLUTION:
Compression algorithms should be disabled. The method of disabling it varies depending on the application you're running. If you're using a hardware device or software not listed here, you'll need to check the manual or vendor support options.

RESULTS:
Compression_method_is DEFLATE .

 

Tried to solve:

Add these strings to server.conf on local location:

[sslConfig]

allowSslCompression = false

useClientSSLCompression = false

useSplunkdClientSSLCompression = false

Zhanali_1-1721031431358.jpeg

 

Result of attempt:

On some servers it only helped with 8089, on some servers it helped with 8191, and on some servers it didn't help at all.

 

Question.

Has anyone been able to solve this problem? And how can I understand why I got different results with the same settings? What other solutions can you suggest?


Thank you all in advance!

 

Labels (2)
Labels
0 Karma
Reply

TheLawsOfChaos
Path Finder
‎07-18-2024 09:39 PM

Can you please list which vulnerability scanner was used to determine this finding, and which pluginid? This information is used to see some information that is vital for us to really triage this :

1) See what the vulnerability scanner is actually looking for

2) See if Splunk is actually affected, as there are many times 

I'm guessing this is from Qualys, and is QID 38599. I know this plugin is old, as it's mentioned in a community post on Qualys' website from 2014, and is related to the 'CRIME' attack. If I am correct on this being the plugin in question, its about CVE-2012-4929.

There is an official Splunk response about this CVE here : https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-shows-vulnerable-to-CVE-2012-4929-in-my-...

Important parts from what the Splunk employee stated are :

  1. This is directed at web browsers hitting web servers, which are not any of the ports you listed.
  2. Splunk doesn't use SPDY at all
  3. This bug is more about web browsers hitting servers, and as such Splunk web won't mitigate against vulnerable browsers.

That said, again, this is from 2012 and it's 2024 so it's unlikely anyone is using an affected browser and even if they were, 8089/8191/8088 are not web server ports. 

I would write up documentation stating that this plugin should be ignored for this use case, as this vulnerability is no longer relevant on modern technology. 

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎07-15-2024 07:48 AM

Hi @Zhanali ..  "OEL 8" ,...you meant RHEL 8?

i assume you have got the Splunk Support.. may i know if you have contacted the Splunk Support team

0 Karma
Reply

Zhanali
Path Finder
‎07-15-2024 08:46 PM

Hi @inventsekar

OEL8 is Oracle Enterprise Linux 8.9.

No, we haven't opened the case yet, it's in progress.

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...