Security

Vulnerability in compression algorithm

Zhanali
Path Finder

Hi all!

We deployed Splunk Cluster on OEL 8. The latest version is currently installed - 9.2.2. The vulnerability scanner found a vulnerabilities on all servers related to the compression algorithm:

Secure Sockets Layer/Transport Layer Security (SSL/TLS) Compression Algorithm Information Leakage Vulnerability

Affected objects:

port 8089/tcp over SSL

port 8191/tcp over SSL

port 8088/tcp over SSL

SOLUTION:
Compression algorithms should be disabled. The method of disabling it varies depending on the application you're running. If you're using a hardware device or software not listed here, you'll need to check the manual or vendor support options.

RESULTS:
Compression_method_is DEFLATE .

 

Tried to solve:

Add these strings to server.conf on local location:

[sslConfig]

allowSslCompression = false

useClientSSLCompression = false

useSplunkdClientSSLCompression = false

Zhanali_1-1721031431358.jpeg

 

Result of attempt:

On some servers it only helped with 8089, on some servers it helped with 8191, and on some servers it didn't help at all.

 

Question.

Has anyone been able to solve this problem? And how can I understand why I got different results with the same settings? What other solutions can you suggest?


Thank you all in advance!

 

Labels (2)
0 Karma

TheLawsOfChaos
Path Finder

Can you please list which vulnerability scanner was used to determine this finding, and which pluginid? This information is used to see some information that is vital for us to really triage this :

1) See what the vulnerability scanner is actually looking for

2) See if Splunk is actually affected, as there are many times 

I'm guessing this is from Qualys, and is QID 38599. I know this plugin is old, as it's mentioned in a community post on Qualys' website from 2014, and is related to the 'CRIME' attack. If I am correct on this being the plugin in question, its about CVE-2012-4929.

There is an official Splunk response about this CVE here : https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-shows-vulnerable-to-CVE-2012-4929-in-my-...

Important parts from what the Splunk employee stated are :

  1. This is directed at web browsers hitting web servers, which are not any of the ports you listed.
  2. Splunk doesn't use SPDY at all
  3. This bug is more about web browsers hitting servers, and as such Splunk web won't mitigate against vulnerable browsers.

That said, again, this is from 2012 and it's 2024 so it's unlikely anyone is using an affected browser and even if they were, 8089/8191/8088 are not web server ports. 

I would write up documentation stating that this plugin should be ignored for this use case, as this vulnerability is no longer relevant on modern technology. 

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @Zhanali ..  "OEL 8" ,...you meant RHEL 8?

i assume you have got the Splunk Support.. may i know if you have contacted the Splunk Support team

0 Karma

Zhanali
Path Finder

Hi @inventsekar

OEL8 is Oracle Enterprise Linux 8.9.

No, we haven't opened the case yet, it's in progress.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...