Openssl doesn't consider this an actual vulnerability which is why it hasn't been fixed in v0.9.8x. It's a way of DoS'ing a server by requesting lots of expensive crypto operations. If you have unfettered access to the REST port you can flood Splunk with plenty of other types of requests that consume just as much CPU.
Any app that allows an operation like SSL negotiation to an untrusted host is subject to resource exhaustion. The correct answer is to restrict hosts if this is an issue.
Note also that if the OS firewall is not enabled, any OS is subject to a DOS through resource exhaustion some how, even if it's just TCP port exhaustion.
This was brought up to Engineering in SPL-58707 and the information provided here serves as an official answer on the topic.
... View more