We released Logstash 1.4.2 today. This is a bug fix release that includes an important fix for a security vulnerability that was present in previous versions of Logstash. We recommend that users of Logstash's zabbix or nagios_nsca outputs upgrade immediately. Deployments that do not use the zabbix or the nagios_nsca outputs are not vulnerable and do not need to upgrade for this reason.
The vulnerability impacts deployments that use the either the zabbix or the nagios_nsca outputs. In these cases, an attacker with an ability to send crafted events to any source of data for Logstash could execute operating system commands with the permissions of the Logstash process.
Deployments that do not use the zabbix or the nagios_nsca outputs are not vulnerable and do not need to upgrade for this reason.
We have added this vulnerability to our CVE page and are working on filling out the CVE.
We would like to thank Jan Karwowski and Danila Borisiuk for reporting the issue and working with us on the resolution.
An upgrade to Logstash 1.4.2 will address the issue. This is our recommended path.
Some deployments may be able to remove the zabbix and nagios_nsca outputs from their configuration. This is a viable option to remediate until an upgrade can be performed.
We have also released a patch for the 1.3.x series of Logstash releases. This patch can be applied to address the vulnerability. This patch is available as an option to upgrade to 1.4.2. If you apply the patch, you do not need to upgrade to 1.4.2 to fix the vulnerability.
In order to apply the patch for the 1.3.x series, do the following on each Logstash host. This example uses 1.3.3, but you can also use these steps for 1.3.0 - 1.3.2.
# mkdir -p /tmp/logstash-patch/logstash/outputs # wget -O /tmp/logstash-patch/logstash/outputs/zabbix.rb https://github.com/elasticsearch/logstash-contrib/raw/v1.4.2/lib/logstash/outputs/zabbix.rb # wget -O /tmp/logstash-patch/logstash/outputs/nagios_nsca.rb https://github.com/elasticsearch/logstash/raw/v1.4.2/lib/logstash/outputs/nagios_nsca.rb # jar uf logstash-1.3.3-flatjar.jar -C /tmp/logstash-patch/ logstash/outputs/zabbix.rb -C /tmp/logstash-patch/ logstash/outputs/nagios_nsca.rb
The 1.4.2 release includes a number of other fixes. For Logstash core:
- the nagios_nsca output plugin external command invocation works correctly
- Logstash can now be invoked outside of its home directory
- the generator input plugin with the stdin option works correctly
- the file input plugin now works correctly on Debian 7
And for logstash-contrib:
- the zabbix output external command invocation works correctly
- added translate filter dictionary file auto refresh and improved its documentation