SSLv3 is shipped out of box to support easy upgrades but should be disabled as soon as upgrades are complete.
By default, Splunk Enterprise allows communications on SSLv3 and all subsequent versions.
When designing systems in domains with high levels of fragmentation, then, extra care is appropriate.
In such domains graceful security degradation may become common.
Affected Firmware: Barracuda Next Gen Firewall F-Series Firmware Version 6.2.x and 7.0.x Impact: Affected boxes continued to enforce defined rulesets and did not switch to "fail open " or "fail close" mode.
However, firewall ruleset changes made while a unit was affected did not take effect even though a ruleset change was performed through the configuration interface.
To avoid this vulnerability, Red Hat recommends disabling SSL and using only TLSv1.1 or TLSv1.2.For forwarders running 6.2 you can mitigate compatibility issues by also updating each forwarder's settings in addition to your indexer.The POODLE attack (which stands for "Padding Oracle On Downgraded Legacy Encryption") is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0.The included Content-Pattern file contained corrupted data resulting unresponsiveness of the firewall and high CPU load on lower capacity units.The Barracuda Network Security Team replaced the corrupted definitions at pm UTC.This error condition is only resolved through a restart of the firewall service, or by applying the provided hotfix.Mitigation: Customers who notice the described symptoms should IMMEDIATELY install the following hotfix. We apologize for any inconvenience caused by this issue.There is an additional whitepaper available from Open SSL that also describes this vulnerability. The following script can be used to check if a system is vulnerable. When Splunk Enterprise is configured in FIPS mode, SSLv2 and SSLv3 are always disabled regardless of any additional configuration. Configure forwarders to be compatible with your indexer.CAUTION: To avoid the v3 "POODLE" vulnerability, remove SSLv3 as upgrades are applied to your environment. Changing or limiting the SSL versions (and restricting SSLv3) can create compatibility issues with forwarders, particularly those that run earlier versions of Splunk Enterprise.