We are pleased to announce the availability of Logstash 1.4.3. This is a bug fix release for the 1.4 series which fixes a few important security vulnerabilities. Our recommendation is to upgrade to 1.4.3 if you are using either of the following plugins:
- Elasticsearch output with node protocol
- Logstash Forwarder with Lumberjack input/output
- File Output
Elasticsearch 1.1.1 vulnerability
Logstash 1.4.2 was bundled with Elasticsearch 1.1.1, which is vulnerable to CVE-2014-3120. These binaries are used in Elasticsearch output specifically when using the node protocol. Since a node client joins the Elasticsearch cluster, the attackers could use scripts to execute commands on the host OS using the node client's URL endpoint. With 1.4.3 release, we are packaging Logstash with Elasticsearch 1.5.2 binaries which by default disables the ability to run scripts. This also affects users who are using the configuration option embedded=>true in the Elasticsearch output which starts a local embedded Elasticsearch cluster. This is typically used in development environment and proof of concept deployments. Regardless of this vulnerability, we strongly recommend not using embedded in production
Note that users of transport and http protocol are not vulnerable to this attack.
Logstash Forwarder with Lumberjack input/output
The combination of Logstash Forwarder and Lumberjack input (and output) was vulnerable to the POODLE attack in SSLv3 protocol. We have disabled SSLv3 for this combination and set the minimum version to be TLSv1.0. We have added this vulnerability to our CVE page and are working on filling out the CVE.
Thanks to Tray Torrance, Marc Chadwick, and David Arena for reporting this.
File output vulnerability
An attacker could use the File output plugin with dynamic field references in the path option to traverse paths outside of Logstash directory. This technique could also be used to overwrite any files which can be accessed with permissions associated with Logstash user. This release sandboxes the paths which can be traversed using the configuration. We have also disallowed use of dynamic field references if the path options is pointing to an absolute path.
We have added this vulnerability to our CVE page and are working on filling out the CVE. We would like to thank Colin Coghill for reporting the issue and working with us on the resolution.
Fixed an issue in Elasticsearch output which was not correctly releasing socket connections. This fix was in the ruby-ftw HTTP client library, so any plugins using this should benefit from this resolution (#1604)