Splunk Enterprise Security

Seeing (SSL/TLS Compression Algorithm Information Leakage Vulnerability port 8089/tcp over SSL) from qualys scanning

ncsasecops
Engager

We are seeing this vulnerability show up via qualys vuln scanning on both our dev and production splunk instances. I am using the same ssl config for both and have tried solving this multiple ways including the first solution proposed here: https://community.splunk.com/t5/Getting-Data-In/I-am-looking-for-clarification-on-SSL-compression-se...

this is what our ssl and http server config in server.conf looks like currently:

[sslConfig]

sslPassword = $encryptedsslpass$

serverCert = $servercertpath$

caCertFile = $cacertpath$

sendStrictTransportSecurityHeader=true

useSSLCompression = false

allowSSLCompression = false

sslVersions = tls1.2

sslVersionsForClient = tls1.2

cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256

[httpServer]

replyHeader.X-XSS-Protection= 1; mode=block

replyHeader.Content-Security-Policy = script-src 'self'; object-src 'self'

 

Is there anything I need to add to this config or elsewhere to solve this vulnerability? I do not want to block the scanner from seeing the port as I have seen proposed in some solutions.

 



Labels (1)

CALEX
Explorer

I'm having the same issue. Did you ever find a resolution?

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>