We are announcing the release of logstash 1.5.4 and 1.4.5 which fixes important security issues. Our recommendation is to upgrade immediately if you are using either of the following features:
Logstash forwarder: After the release of 1.5.3, users encountered an issue where Logstash Forwarder was unable to communicate to Logstash instance because of SSL/TLS certificate validation errors. This has been fixed.
Lumberjack output: Typically used to connect two Logstash instances. In such deployments, one Logstash instance is used to collect logs from a webserver and securely transmit them to a central Logstash instance to perform additional filtering and storing.
Security Fixes
When using SSL/TLS functionality, Lumberjack output from Logstash 1.5.3 and prior versions did not validate certificate presented by the Logstash instance acting as a server. This exposes a man in the middle vulnerability.
We have been assigned CVE-2015-5619 for this issue and have added this vulnerability to our CVE page.
Note: Users of Logstash Forwarder are not affected by this particular vulnerability
Enhancements
Elasticsearch Output: Added the ability to update existing ES documents and support of upsert -- if document doesn't exist, create it (#116). Thanks to David Chauviere for contributing this enhancement!
Example configuration:
output {
if [use_case] == "doc_upsert" {
elasticsearch {
host => "elasticsearch"
protocol => "http"
action => "update"
document_id => "%{[uid]}"
doc_as_upsert => true
}
} else if [use_case] == "doc_static_upsert" {
elasticsearch {
host => "elasticsearch"
protocol => "http"
action => "update"
document_id => "%{[uid]}"
upsert => '{"static_field": "demo"}'
}
} else if [use_case] == "doc_dynamic_upsert" {
elasticsearch {
host => "elasticsearch"
protocol => "http"
action => "update"
document_id => "%{[uid]}"
upsert => '{"use_case": "%{[use_case]}", "dynamic": { "fieldC": "%{[dynamic_field][fieldC]}"}}'
}
}
}
Bug fixes
Below is a list of bug fixes in core and plugins. For a full list, please check the changelog.
- Reverted a change in our harden SSL fix, that prevented Logstash Forwarder and Lumberjack output clients to connect to 1.5.3 instances (#3657)
- Updated Concurrent-ruby library usage to suppress deprecation warnings (#3662)
- Lumberjack input: Fixed a scenario where Logstash Forwarder could lose events when dealing with congestion from downstream plugins. We were incorrectly calculating the window size of payload in the acknowledgement stage. (#3691)
- File input: Fix double ingestion issue when using glob path (#3674)
- AWS mixin: Correctly configure the proxy when using V2 version of the mixin. (#15)
- Lumberjack ouput: Added better handling of congestion scenario by using a buffered payloads (#7)
Feedback
Please download Logstash 1.5.4 and let us know what you think on Twitter (@elastic) or on our forum. You can report any problems on the GitHub issues page.