ArchLinux: 201902-28: logstash: information disclosure

    Date26 Feb 2019
    CategoryArchLinux
    272
    Posted ByLinuxSecurity Advisories
    The package logstash before version 6.6.1-1 is vulnerable to information disclosure.
    Arch Linux Security Advisory ASA-201902-28
    ==========================================
    
    Severity: High
    Date    : 2019-02-25
    CVE-ID  : CVE-2019-7612
    Package : logstash
    Type    : information disclosure
    Remote  : No
    Link    : https://security.archlinux.org/AVG-913
    
    Summary
    =======
    
    The package logstash before version 6.6.1-1 is vulnerable to
    information disclosure.
    
    Resolution
    ==========
    
    Upgrade to 6.6.1-1.
    
    # pacman -Syu "logstash>=6.6.1-1"
    
    The problem has been fixed upstream in version 6.6.1.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    A sensitive data disclosure flaw was found in the way Logstash logs
    malformed URLs. If a malformed URL is specified as part of the Logstash
    configuration, the credentials for the URL could be inadvertently
    logged as part of the error message.
    
    Impact
    ======
    
    A local attacker is able to obtain URL credentials by reading the error
    log.
    
    References
    ==========
    
    https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077
    https://security.archlinux.org/CVE-2019-7612
    

    Comments powered by CComment

    LinuxSecurity Poll

    Which Linux distribution(s) do you use?

    Message!

    Poll results are hidden from public viewing.

    You are not authorized to vote on this poll.

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 5 answer(s).
    /component/communitypolls/?task=poll.vote
    7
    radio
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.