ASA-201902-28 log original external raw
[ASA-201902-28] logstash: information disclosure |
---|
Arch Linux Security Advisory ASA-201902-28
==========================================
Severity: High
Date : 2019-02-25
CVE-ID : CVE-2019-7612
Package : logstash
Type : information disclosure
Remote : No
Link : https://security.archlinux.org/AVG-913
Summary
=======
The package logstash before version 6.6.1-1 is vulnerable to
information disclosure.
Resolution
==========
Upgrade to 6.6.1-1.
# pacman -Syu "logstash>=6.6.1-1"
The problem has been fixed upstream in version 6.6.1.
Workaround
==========
None.
Description
===========
A sensitive data disclosure flaw was found in the way Logstash logs
malformed URLs. If a malformed URL is specified as part of the Logstash
configuration, the credentials for the URL could be inadvertently
logged as part of the error message.
Impact
======
A local attacker is able to obtain URL credentials by reading the error
log.
References
==========
https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077
https://security.archlinux.org/CVE-2019-7612
|