VuXML ID | Description |
2184ccad-1a10-11e5-b43d-002590263bf5 | logstash -- Remote command execution in Logstash zabbix and nagios_nsca outputs
Elastic reports:
The vulnerability impacts deployments that use the either the
zabbix or the nagios_nsca outputs. In these cases, an attacker
with an ability to send crafted events to any source of data for
Logstash could execute operating system commands with the
permissions of the Logstash process.
Deployments that do not use the zabbix or the nagios_nsca outputs
are not vulnerable and do not need to upgrade for this reason.
We have added this vulnerability to our CVE page and are working
on filling out the CVE.
We would like to thank Jan Karwowski and Danila Borisiuk for
reporting the issue and working with us on the resolution.
Discovery 2014-06-24 Entry 2015-06-24 logstash
< 1.4.2
CVE-2014-4326
https://www.elastic.co/blog/logstash-1-4-2
https://www.elastic.co/community/security
|
ad4d3871-1a0d-11e5-b43d-002590263bf5 | logstash-forwarder and logstash -- susceptibility to POODLE vulnerability
Elastic reports:
The combination of Logstash Forwarder and Lumberjack input (and
output) was vulnerable to the POODLE attack in SSLv3 protocol. We
have disabled SSLv3 for this combination and set the minimum version
to be TLSv1.0. We have added this vulnerability to our CVE page and
are working on filling out the CVE.
Thanks to Tray Torrance, Marc Chadwick, and David Arena for
reporting this.
SSLv3 is no longer supported; TLS 1.0+ is required (compatible
with Logstash 1.4.2+).
Discovery 2015-06-09 Entry 2015-06-24 Modified 2015-06-24 logstash-forwarder
< 0.4.0.20150507
logstash
< 1.4.3
ports/201065
ports/201065
https://www.elastic.co/blog/logstash-1-4-3-released
https://www.elastic.co/blog/logstash-forwarder-0-4-0-released
|
c470bcc7-33fe-11e5-a4a5-002590263bf5 | logstash -- SSL/TLS vulnerability with Lumberjack input
Elastic reports:
Vulnerability Summary: All Logstash versions prior to 1.5.2 that
use Lumberjack input (in combination with Logstash Forwarder agent)
are vulnerable to a SSL/TLS security issue called the FREAK attack.
This allows an attacker to intercept communication and access secure
data. Users should upgrade to 1.5.3 or 1.4.4.
Remediation Summary: Users that do not want to upgrade can address
the vulnerability by disabling the Lumberjack input.
Discovery 2015-07-22 Entry 2015-07-27 logstash
< 1.4.4
ge 1.5.0 lt 1.5.3
CVE-2015-5378
https://www.elastic.co/community/security
|
24bde04f-1a10-11e5-b43d-002590263bf5 | logstash -- Directory traversal vulnerability in the file output plugin
Elastic reports:
An attacker could use the File output plugin with dynamic field
references in the path option to traverse paths outside of Logstash
directory. This technique could also be used to overwrite any files
which can be accessed with permissions associated with Logstash
user. This release sandboxes the paths which can be traversed using
the configuration. We have also disallowed use of dynamic field
references if the path options is pointing to an absolute path.
We have added this vulnerability to our CVE page and are working
on filling out the CVE. We would like to thank Colin Coghill for
reporting the issue and working with us on the resolution.
Discovery 2015-06-09 Entry 2015-06-24 logstash
< 1.4.3
CVE-2015-4152
https://www.elastic.co/blog/logstash-1-4-3-released
https://www.elastic.co/community/security
|
43ac9d42-1b9a-11e5-b43d-002590263bf5 | elasticsearch and logstash -- remote OS command execution via dynamic scripting
Elastic reports:
Vulnerability Summary: In Elasticsearch versions 1.1.x and prior,
dynamic scripting is enabled by default. This could allow an
attacker to execute OS commands.
Remediation Summary: Disable dynamic scripting.
Logstash 1.4.2 was bundled with Elasticsearch 1.1.1, which is
vulnerable to CVE-2014-3120. These binaries are used in
Elasticsearch output specifically when using the node protocol.
Since a node client joins the Elasticsearch cluster, the attackers
could use scripts to execute commands on the host OS using the node
client's URL endpoint. With 1.4.3 release, we are packaging Logstash
with Elasticsearch 1.5.2 binaries which by default disables the
ability to run scripts. This also affects users who are using the
configuration option embedded=>true in the Elasticsearch output
which starts a local embedded Elasticsearch cluster. This is
typically used in development environment and proof of concept
deployments. Regardless of this vulnerability, we strongly recommend
not using embedded in production.
Note that users of transport and http protocol are not vulnerable
to this attack.
Discovery 2014-05-22 Entry 2015-06-26 elasticsearch
< 1.2.0
logstash
< 1.4.3
CVE-2014-3120
67731
https://www.elastic.co/community/security
https://www.elastic.co/blog/elasticsearch-1-2-0-released
https://www.elastic.co/blog/logstash-1-4-3-released
https://www.exploit-db.com/exploits/33370/
http://bouk.co/blog/elasticsearch-rce/
http://www.rapid7.com/db/modules/exploit/multi/elasticsearch/script_mvel_rce
https://www.found.no/foundation/elasticsearch-security/#staying-safe-while-developing-with-elasticsearch
|