-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2014.0076
   A number of vulnerabilities have been identified in Splunk Enterprise
                               15 July 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Splunk Enterprise
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Unauthorised Access            -- Remote with User Interaction
                      Provide Misleading Information -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2014-3470 CVE-2014-0224 
Member content until: Thursday, August 14 2014
Reference:            ESB-2014.0887

OVERVIEW

        A number of vulnerabilities have been identified in Splunk Enterprise
        prior to versions 6.1.2, 6.05, and 5.09. [1]


IMPACT

        The vendor has provided the following details regarding these 
        issues:
        
        "OpenSSL susceptible to man-in-the-middle via CCS Injection 
        (SPL-85063, CVE-2014-0224)
        
        Description: OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1
        before 1.0.1h does not properly restrict processing of 
        ChangeCipherSpec messages, which allows man-in-the-middle attackers
        to trigger use of a zero-length master key in certain 
        OpenSSL-to-OpenSSL communications, and consequently hijack sessions
        or obtain sensitive information, via a crafted TLS handshake, aka 
        the "CCS Injection" vulnerability." [1]
        
        "OpenSSL anonymous ECDH cipher suite contains weakness (SPL-85063, 
        CVE-2014-3470)
        
        Description: The ssl3_send_client_key_exchange function in s3_clnt.c
        in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 
        1.0.1h, when an anonymous ECDH cipher suite is used, allows remote 
        attackers to cause a denial of service (NULL pointer dereference and
        client crash) by triggering a NULL certificate value." [1]


MITIGATION

        It is recommended that users update to the latest version of Splunk
        Enterprise to correct these issues. [1]


REFERENCES

        [1] Splunk Enterprise 6.1.2, 6.0.5 and 5.0.9 address two
            vulnerabilities
            http://www.splunk.com/view/SP-CAAAM2D

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU8S+VxLndAQH1ShLAQJ+QA/9GKtkkDWlHycyGthY9KZ8EX+MQXh96u2w
qvt32pQWQjX8xuIPKgaGetXrAMFKP9kFJyjS36UqkEztPSUcXqAIzOFN/MH71H0D
j+RaDHVYvIUfjQVSx80RCpwCpBlIyoDU5DueZWO04DZKMvoZyAjXl4tA0MCLuICH
4ckaNGn3cI8uzMQkUXxGnyeX8V30p+tjR05gEkeCfVNwrRQFGICgkYLmV5l73RVd
E0CR825otmL3h1Vyu1yo68SYNJc86YM1rnVH9xF3x4V70ulU73/Rd/hlgMxtAP8P
v6ckbdH3n00KHH901q5IVmepPyROLERrAq8M1aHHxsTgzNKbIDs15nr4B8ElEgap
7bPyCuBbdZnwhUm5PKfUWT+1nRgzHr1NzBmg4hsoSdRKtu3jUdb/1+wEDDEvCXk+
Idkc84/u6QAWXXTQJV90otC3KwkKA9ehCScQ/rR3pLz+mllA+zP10I7FFbZ/OWkz
Y92j3nI9eqWmkkEv/+3h/qGlZx1n4gdrP8sizSnaRY4JJQI0wc+mWpdBqwg43xm2
krYpFH4hRo3HDGmaQhcyPwSTA8cmDuQ36Q5CPv9p1WIyVnj6VE5iZBVqKmC7auvn
f2mjLJzffeMMejBk//8ScDrlh6EhDCiYmz7ZqyNDKv3ZKcPWcg/FpkKZa4TN/0ef
LDFZ/cJC8hQ=
=ccQC
-----END PGP SIGNATURE-----