Splunk response to SSLv3 "POODLE" vulnerability (CVE-2014-3566)

Description

• Splunk Enterprise response to SSLv3 “POODLE” vulnerability (CVE-2014-3566)
• Hunk response to SSLv3 “POODLE” vulnerability (CVE-2014-3566)
• Splunk Cloud response to SSLv3 “POODLE” vulnerability (CVE-2014-3566)
• Splunk MINT response to SSLv3 “POODLE” vulnerability (CVE-2014-3566)
• Splunk Storm response to SSLv3 “POODLE” vulnerability (CVE-2014-3566)
• Splunk App for Stream response to SSLv3 “POODLE” vulnerability (CVE-2014-3566)
• Splunk App for VMware response to SSLv3 “POODLE” vulnerability (CVE-2014-3566)
• Splunk App for NetApp Data ONTAP response to SSLv3 “POODLE” vulnerability (CVE-2014-3566)

Splunk will update this advisory as additional information becomes available.

At the time of this announcement, Splunk is not aware of any cases where this vulnerability has been actively exploited. Previous Product Security Announcements can be found on our Splunk Product Security Portal. Use SPL numbers when referencing issues in communication with Splunk. If there is no CVE Identifier listed with a vulnerability, it will be added once it is assigned by a CVE Numbering Authority. To standardize the calculation of severity scores for each vulnerability, when appropriate, Splunk uses Common Vulnerability Scoring System version 2.

Affected Products and Components

• Splunk Enterprise
  • Affected versions: All versions of Splunk Enterprise 6.2.x, 6.1.x, 6.0.x, and 5.0.x.
  • Affected components: Search heads, heavy forwarders, universal forwarders, indexers, and KV Store/MongoDB.
• Hunk
  • Affected versions: All versions of Hunk 6.2.x, 6.1.x and 6.0.x.
• Splunk Cloud
• Splunk MINT
• Splunk Storm
• Splunk App for Stream
• Splunk App for VMware
• Splunk App for NetApp Data ONTAP

  Mitigation and Upgrades

  Splunk Enterprise and Hunk 6.2.0

  Hunk 6.2.0 and Splunk Enterprise 6.2.0 introduce the sslVersions attribute to permit administrators to manage SSL/TLS protocol support parameters on Splunk Web, Indexers, and Splunkd management ports. Additionally, SSLv3 support in 6.2.0 contains TLS_FALLBACK_SCSV to further mitigate the POODLE attack. Splunk Enterprise 6.2.0 and Hunk 6.2.0 have SSLv3 enabled by default. SSLv3 can be removed after all legacy installations are upgraded to 6.2.0. Please review Known Issues prior to upgrading.

Splunk Enterprise 6.1.5

Splunk Enterprise 6.1.5 addresses SSLv3 issues via a separate security advisory.

Splunk Enterprise 6.0.7 and 5.0.11

Splunk Enterprise 6.0.7 and 5.0.11 address SSLv3 issues via a separate security advisory.

Splunk Enterprise 6.1.x, 6.0.x, 5.0.x, and Hunk 6.1.x, 6.0.x

Splunk Web: Systems running Splunk Web where users access the web over untrusted networks are the most at risk. Customers that have deployed Splunk Web via a trusted network or behind a TLS-enforcing reverse proxy are not at risk. Splunk Web is installed on port 8000 in a default installation. The default SSL configuration of Splunk Enterprise and Hunk supports TLS connections.

SSLv3 is used within Splunk deployments as a transport security protocol.

In order to perform the attack, an attacker must intercept and modify traffic between the client and the server. The attacker must also be able to induce the client to generate specific known requests to the server.

Splunk Web: Systems running Splunk Web where users access the web over untrusted networks are the most at risk. Customers that have deployed Splunk Web via a trusted network or behind a TLS-enforcing reverse proxy are not at risk. Splunk Web is installed on port 8000 in a default installation. The default SSL configuration of Splunk Enterprise and Hunk supports TLS connections.

Browser mitigations: Affected customers can disable SSLv3 in Internet Explorer (via Internet Options), Chrome (command line argument of –ssl-version-min=tls1), and Firefox.

Splunk components: Universal Forwarders, Indexers and KV Store/MongoDB will also show in vulnerability scans as able to negotiate SSLv3. However, they do not permit an attacker to generate the necessary arbitrary requests to execute an attack.

Vulnerability Descriptions and Ratings

Splunk Enterprise response to SSLv3 “POODLE” vulnerability (CVE-2014-3566)

Description: Splunk Enterprise versions 6.2.x, 6.1.x, 6.0.x, and 5.0.x support SSL/TLS security for end-user access to Splunk Web, Splunk management communication, and forwarders. Please review Mitigation and Upgrades in order to understand and mitigate this issue.

CVSS Base Score 5.4

CVSS Impact Subscore 6.4

CVSS Exploitability Subscore 5.5

Overall CVSS Score 5.4

Hunk response to SSLv3 “POODLE” vulnerability (CVE-2014-3566)

Description: Hunk versions 6.2.x, 6.1.x, and 6.0.x support SSL/TLS security for end-user access to Splunk Web and management components. Please review Mitigation and Upgrades in order to understand and mitigate this issue.

CVSS Base Score 5.4

CVSS Impact Subscore 6.4

CVSS Exploitability Subscore 5.5

Overall CVSS Score 5.4

Splunk Cloud response to SSLv3 “POODLE” vulnerability (CVE-2014-3566)

Description: Splunk Cloud is currently triaging the POODLE vulnerability and deploying non-service-affecting patches. Splunk Cloud does currently support SSLv3 and TLS protocols. Users accessing Splunk Cloud can deploy browser changes to mitigate this issue.

CVSS Base Score 5.4

CVSS Impact Subscore 6.4

CVSS Exploitability Subscore 5.5

Overall CVSS Score 5.4

Splunk MINT response to SSLv3 “POODLE” vulnerability (CVE-2014-3566)

Description: Splunk MINT has removed SSLv3 support or implemented TLS_FALLBACK_SCSV to protect users accessing MINT. Users accessing Splunk MINT can deploy browser changes to mitigate this issue.

CVSS Base Score 5.4

CVSS Impact Subscore 6.4

CVSS Exploitability Subscore 5.5

Overall CVSS Score 5.4

Splunk Storm response to SSLv3 “POODLE” vulnerability (CVE-2014-3566)

Description: Splunk Storm is currently triaging and deploying non-service-affecting patches. Splunk Storm does currently support SSLv3 and TLS protocols. Users accessing Splunk Storm can currently use browser changes to mitigate this issue.

CVSS Base Score 5.4

CVSS Impact Subscore 6.4

CVSS Exploitability Subscore 5.5

Overall CVSS Score 5.4

Splunk App for Stream response to SSLv3 “POODLE” vulnerability (CVE-2014-3566)

Description: Splunk App for Stream 6.1.0 was released on November 6, 2014. This release addresses the “POODLE” vulnerability by disabling SSLv3 support.

CVSS Base Score 5.4

CVSS Impact Subscore 6.4

CVSS Exploitability Subscore 5.5

Overall CVSS Score 5.4

Splunk App for VMware response to SSLv3 “POODLE” vulnerability (CVE-2014-3566)

Description: Splunk App for VMware 3.1.2 and prior provide no method to disable support for SSLv3. Splunk App for VMware 3.1.3 disables the support for SSLv3 in when installed on Splunk Enterprise 6.0.7 or later, Splunk Enterprise 6.1.5 or later, or Splunk Enterprise 6.2.1 or later.

CVSS Base Score 5.4

CVSS Impact Subscore 6.4

CVSS Exploitability Subscore 5.5

Overall CVSS Score 5.4

Splunk App for NetApp Data ONTAP response to SSLv3 “POODLE” vulnerability (CVE-2014-3566)

Description: Description: Splunk App for NetApp Data ONTAP 2.0.1 and prior provide no method to disable support for SSLv3. Splunk App for NetApp Data ONTAP 2.0.2 disables the support for SSLv3 in when installed on Splunk Enterprise 6.0.7 or later, Splunk Enterprise 6.1.5 or later, or Splunk Enterprise 6.2.1 or later.

CVSS Base Score 5.4

CVSS Impact Subscore 6.4

CVSS Exploitability Subscore 5.5

Overall CVSS Score 5.4

Document History

• 2014-Oct-14: Rev 2. Hunk added and mitigation corrections
• 2014-Oct-15: Rev 3. Additional Splunk products added
• 2014-Oct-28: Rev 4. Splunk Enterprise 6.2.0 and Hunk 6.2.0 added
• 2014-Nov-11: Rev 5. Splunk Enterprise 6.1.5 added
• 2014-Nov-20: Rev 6. Splunk Enterprise 6.0.7 and 5.0.11 added
• 2014-Nov-21: Rev 7. Updated Splunk App for Stream 6.1, Added Splunk App for VMware 3.1.2, Added Splunk App for NetApp Data ONTAP 2.0.1
• 2014-Dec-23: Rev 8. Updated Splunk App for VMware 3.1.3, Updated Splunk App for NetApp Data ONTAP 2.0.2