If you run the command
openssl s_client -connect ip:port < /dev/zero 2>&1
towards the rest api (port 8089) with ssl enabled, the tcp connection stays up forever after ssl handshake is done.
@lmcphpe - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.
This reminds me of the Slowloris [https://en.wikipedia.org/wiki/Slowloris_(computer_security)] attack that takes advantage of web servers that can't handle a lot of open connections. I haven't tested to see how vulnerable Splunk is but I would seriously consider placing some kind of reverse proxy in front of any user-facing services. I'm sure nginx is a popular option for this but if you already have F5 load balancers you may be able to use HTTP and OneConnect profiles to separate the client and server side connections. I'm sure other load balancers have similar options.
I would suggest that you look at how to report a possible vulnerability at https://www.splunk.com/page/securityportal. Report it there, and the ProdSec team will review as needed and get back to you.
