Logstash 1.5.3 and 1.4.4 released

We are announcing the release of Logstash 1.5.3 and 1.4.4. In addition to fixing defects, these releases address important security vulnerabilities. Our recommendation is to upgrade immediately if you are using either of the following plugins:

• Lumberjack Input with Logstash Forwarder agent
• Elasticsearch Output with transport or node protocol configuration.

Security Fixes

Lumberjack Input Security Vulnerability

Logstash 1.5.2 and prior versions are vulnerable to a SSL/TLS security issue called the FREAK attack. If you are using the Lumberjack input, FREAK allows an attacker to successfully implement a man in the middle attack, intercepting communication between the Logstash Forwarder agent and Logstash server. Both 1.5.3 and 1.4.4 release include a patch which resolves this issue.

We have been assigned CVE-2015-5378 for this issue and added this vulnerability to our CVE page.

Elasticsearch Vulnerabilities

Logstash 1.5.2 and prior versions were packaged with Elasticsearch releases which are vulnerable to Remote code execution vulnerability (CVE-2015-5377) and Directory traversal vulnerability (CVE-2015-5531). These binaries are used in Elasticsearch output specifically when using the node and transport protocol. Both 1.5.3 and 1.4.4 are packaged with Elasticsearch version 1.7.0 which has been released to address these vulnerabilities.

Note that users of http protocol are not vulnerable to these attacks.

Bug Fixes

Below we highlight some bug fixes and enhancements in this release. For a full list, please check the changelog

Restored the command line option --pluginpath for bin/logstash script. Since plugins are separated as individual entities, we provide tooling to install them when packaged as a ruby gem. Alternatively, developers working on custom plugins can use the --pluginpath option to load ruby source files into Logstash (#3580).

For debian and rpm packages added ability to force stop Logstash running as a service. When the environment variable KILL_ON_STOP_TIMEOUT=1 is set, the Logstash process not stopped within a reasonable time will be forced to shutdown. Please be aware that you could lose in-flight messages if you force stop Logstash (#3578). To provide more feedback during shutdown, we now log a periodic report of in-flight events being processed (#3484).

Added the ability for the Elasticsearch output to configure a client side certificate while communicating with a secure Elasticsearch cluster. With this enhancement, Logstash can take advantage of the new cert-based authentication feature available in Elastic Shield 1.3 (#170)

Logstash can now ship logs to Elasticsearch using a forwarding proxy. This enhancement can be enabled in the Elasticsearch output when using the http protocol (#199)

Feedback

Please download Logstash 1.5.3 and let us know what you think on Twitter (@elastic) or on our forum. You can report any problems on the GitHub issues page.