We are seeing this vulnerability show up via qualys vuln scanning on both our dev and production splunk instances. I am using the same ssl config for both and have tried solving this multiple ways including the first solution proposed here: https://community.splunk.com/t5/Getting-Data-In/I-am-looking-for-clarification-on-SSL-compression-se...this is what our ssl and http server config in server.conf looks like currently:
sslPassword = $encryptedsslpass$
serverCert = $servercertpath$
caCertFile = $cacertpath$
useSSLCompression = false
allowSSLCompression = false
sslVersions = tls1.2
sslVersionsForClient = tls1.2
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256
replyHeader.X-XSS-Protection= 1; mode=block
replyHeader.Content-Security-Policy = script-src 'self'; object-src 'self'
Is there anything I need to add to this config or elsewhere to solve this vulnerability? I do not want to block the scanner from seeing the port as I have seen proposed in some solutions.
I'm having the same issue. Did you ever find a resolution?