A short post to announce that Logstash version 2.2.2 has been released today with an important security bug fix! Jump to the downloads page for the binaries, where you can also find the full list of changes.
Elasticsearch Output SSL Configuration Issue
Logstash version 2.2.1 is vulnerable to a man in the middle attack when used with Elasticsearch output. In version 2.2.1, the config which enables SSL/TLS default has been disabled inadvertently, so a malicious user could access payload data sent via HTTP during the initial handshake. This has been fixed in 2.2.2.
User who do not wish to upgrade immediately to 2.2.2 can use
https prefix in their
hosts configuration. For example, replace value of
"hosts" => "found-123.com:9200" to
"https://found-123.com:9200". Please restart Logstash after you make this change.