Unrated severityNVD Advisory· Published Mar 25, 2019· Updated Aug 4, 2024
CVE-2019-7612
CVE-2019-7612
Description
A sensitive data disclosure flaw was found in the way Logstash versions before 5.6.15 and 6.6.1 logs malformed URLs. If a malformed URL is specified as part of the Logstash configuration, the credentials for the URL could be inadvertently logged as part of the error message.
Affected products
1Patches
24769664f1477bump lockfile for 5.6.15 (#10436)
3 files changed · +15 −13
Gemfile.jruby-1.9.lock.release+12 −12 modified@@ -145,7 +145,7 @@ GEM edn logstash-codec-line logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-codec-es_bulk (3.0.6) + logstash-codec-es_bulk (3.0.7) logstash-codec-line logstash-core-plugin-api (>= 1.60, <= 2.99) logstash-codec-fluent (3.2.0-java) @@ -198,7 +198,7 @@ GEM logstash-filter-dissect (1.1.4) jar-dependencies logstash-core-plugin-api (>= 2.1.1, <= 2.99) - logstash-filter-dns (3.0.11) + logstash-filter-dns (3.0.12) logstash-core-plugin-api (>= 1.60, <= 2.99) lru_redux (~> 1.1.0) logstash-filter-drop (3.0.5) @@ -214,11 +214,11 @@ GEM logstash-core-plugin-api (>= 1.60, <= 2.99) logstash-patterns-core stud (~> 0.0.22) - logstash-filter-json (3.0.5) + logstash-filter-json (3.0.6) logstash-core-plugin-api (>= 1.60, <= 2.99) logstash-filter-kv (4.1.2) logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-filter-metrics (4.0.5) + logstash-filter-metrics (4.0.6) logstash-core-plugin-api (>= 1.60, <= 2.99) metriks thread_safe @@ -228,7 +228,7 @@ GEM logstash-core-plugin-api (>= 1.60, <= 2.99) logstash-filter-sleep (3.0.6) logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-filter-split (3.1.6) + logstash-filter-split (3.1.7) logstash-core-plugin-api (>= 1.60, <= 2.99) logstash-filter-syslog_pri (3.0.5) logstash-core-plugin-api (>= 1.60, <= 2.99) @@ -240,11 +240,11 @@ GEM logstash-core-plugin-api (>= 1.60, <= 2.99) logstash-filter-urldecode (3.0.6) logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-filter-useragent (3.2.2-java) + logstash-filter-useragent (3.2.3-java) logstash-core-plugin-api (>= 1.60, <= 2.99) logstash-filter-uuid (3.0.5) logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-filter-xml (4.0.5) + logstash-filter-xml (4.0.6) logstash-core-plugin-api (>= 1.60, <= 2.99) nokogiri xml-simple @@ -366,7 +366,7 @@ GEM logstash-codec-plain logstash-core-plugin-api (>= 1.60, <= 2.99) snmp - logstash-input-sqs (3.1.1) + logstash-input-sqs (3.1.2) logstash-codec-json logstash-core-plugin-api (>= 1.60, <= 2.99) logstash-mixin-aws (>= 4.3.0) @@ -432,7 +432,7 @@ GEM logstash-core-plugin-api (>= 1.60, <= 2.99) manticore (>= 0.5.4, < 1.0.0) stud (~> 0.0, >= 0.0.17) - logstash-output-file (4.2.5) + logstash-output-file (4.2.6) logstash-codec-json_lines logstash-codec-line logstash-core-plugin-api (>= 2.0.0, < 2.99) @@ -455,7 +455,7 @@ GEM logstash-output-null (3.0.5) logstash-codec-plain logstash-core-plugin-api (>= 1.60, <= 2.99) - logstash-output-pagerduty (3.0.7) + logstash-output-pagerduty (3.0.8) logstash-codec-plain logstash-core-plugin-api (>= 1.60, <= 2.99) logstash-output-pipe (3.0.6) @@ -468,7 +468,7 @@ GEM logstash-core-plugin-api (>= 1.60, <= 2.99) redis stud - logstash-output-s3 (4.1.6) + logstash-output-s3 (4.1.7) concurrent-ruby logstash-core-plugin-api (>= 1.60, <= 2.99) logstash-mixin-aws (>= 4.3.0) @@ -524,7 +524,7 @@ GEM mustache (0.99.8) naught (1.1.0) netrc (0.11.0) - nokogiri (1.8.5-java) + nokogiri (1.9.1-java) numerizer (0.1.1) octokit (3.8.0) sawyer (~> 0.6.0, >= 0.5.3)
Gemfile.template+2 −0 modified@@ -26,6 +26,8 @@ gem "gems", "~> 0.8.3", :group => :build gem "rack", "1.6.6" gem "redis", "~> 3.3.3" # ------- end pinning +gem "nokogiri", "~> 1.9.1" +gem "hitimes", "1.3.0" gem "rack-test", "0.7.0", :require => "rack/test", :group => :development gem "flores", "~> 0.0.6", :group => :development gem "term-ansicolor", "~> 1.3.2", :group => :development
NOTICE.TXT+1 −1 modified@@ -1,5 +1,5 @@ Logstash -Copyright 2012-2018 Elasticsearch +Copyright 2012-2019 Elasticsearch This product includes software developed by The Apache Software Foundation (http://www.apache.org/).
a9af53240d1aEdits from review comments
1 file changed · +58 −72
docs/static/transforming-data.asciidoc+58 −72 modified@@ -352,33 +352,34 @@ After the filter is applied, the event in the example will have these fields: * `bytes: 15824` * `duration: 0.043` -TIP: If you need help building grok patterns, try out the +TIP: If you need help building grok patterns, try the {kibana-ref}/xpack-grokdebugger.html[Grok Debugger]. The Grok Debugger is an {xpack} feature under the Basic License and is therefore *free to use*. + [[lookup-enrichment]] === Enriching Data with Lookups -These plugins can help you enriching data with +These plugins can help you enrich data with additional info, such as GeoIP and user agent info: -* dns filter -* elasticsearch filter -* geoip filter -* http filter -* jdbc_static filter -* jdbc_streaming filter -* memcached filter -* translate filter -* useragent filter +* <<dns-def,dns filter>> +* <<es-def,elasticsearch filter>> +* <<geoip-def,geoip filter>> +* <<http-def,http filter>> +* <<jdbc-static-def,jdbc_static filter>> +* <<jdbc-stream-def,jdbc_streaming filter>> +* <<memcached-def,memcached filter>> +* <<translate-def,translate filter>> +* <<useragent-def,useragent filter>> [float] [[lookup-plugins]] === Lookup plugins -<<plugins-filters-dns,dns filter>>:: +[[dns-def]]dns filter:: -Performs a standard or reverse DNS lookup. +The <<plugins-filters-dns,dns filter plugin>> performs a standard or reverse DNS lookup. + The following config performs a reverse lookup on the address in the `source_host` field and replaces it with the domain name: @@ -393,10 +394,9 @@ filter { } -------------------------------------------------------------------------------- +[[es-def]]elasticsearch filter:: -<<plugins-filters-elasticsearch,elasticsearch filter>>:: - -Copies fields from previous log events in Elasticsearch to current events. +The <<plugins-filters-elasticsearch,elasticsearch filter>> copies fields from previous log events in Elasticsearch to current events. + The following config shows a complete example of how this filter might be used. Whenever Logstash receives an "end" event, it uses this Elasticsearch @@ -420,14 +420,13 @@ between the two events. } ruby { code => 'event.set("duration_hrs", (event.get("@timestamp") - event.get("started")) / 3600) rescue nil' - } + } } -------------------------------------------------- +[[geoip-def]]geoip filter:: -<<plugins-filters-geoip,geoip filter>>:: - -Adds geographical information about the location of IP addresses. For example: +The <<plugins-filters-geoip,geoip filter>> adds geographical information about the location of IP addresses. For example: + [source,json] -------------------------------------------------------------------------------- @@ -450,36 +449,35 @@ filter { } -------------------------------------------------------------------------------- -<<plugins-filters-http,http filter>>:: - -Integrates with external web services/REST APIs, and -enables lookup enrichment against any HTTP service or endpoint. -The <<plugins-filters-http,http filter>> is well suited to many enrichment use -cases, such as social APIs, sentiment APIs, security feed APIs, and business -service APIs. -+ -[source,txt] ------ -filter { - http { - url => "http://example.com" - verb => GET - body => { - "user-id" => "%{user}" - "api-key" => "%{api_key}" - } - body_format => "json" - headers => - "Content-type" => "application/json" - } - target_body => "new_field" - } -} ------ - -<<plugins-filters-jdbc_static,jdbc_static filter>>:: - -Enriches events with data pre-loaded from a remote database. +[[http-def]]http filter:: + +The <<plugins-filters-http,http filter>> integrates with external web +services/REST APIs, and enables lookup enrichment against any HTTP service or +endpoint. This plugin is well suited for many enrichment use cases, such as +social APIs, sentiment APIs, security feed APIs, and business service APIs. +//+ +//[source,txt] +//----- +//filter { +// http { +// url => "http://example.com" +// verb => GET +// body => { +// "user-id" => "%{user}" +// "api-key" => "%{api_key}" +// } +// body_format => "json" +// headers => +// "Content-type" => "application/json" +// } +// target_body => "new_field" +// } +//} +//----- + +[[jdbc-static-def]]jdbc_static filter:: + +The <<plugins-filters-jdbc_static,jdbc_static filter>> enriches events with data pre-loaded from a remote database. + The following example fetches data from a remote database, caches it in a local database, and uses lookups to enrich events with data cached in the local @@ -557,9 +555,9 @@ returns multiple columns, the data is stored as a JSON object within the field. <5> Takes data from the JSON object and stores it in top-level event fields for easier analysis in Kibana. -<<plugins-filters-jdbc_streaming,jdbc_streaming filter>>:: +[[jdbc-stream-def]]jdbc_streaming filter:: -Enriches events with database data. +The <<plugins-filters-jdbc_streaming,jdbc_streaming filter>> enriches events with database data. + The following example executes a SQL query and stores the result set in a field called `country_details`: @@ -580,27 +578,16 @@ filter { } -------------------------------------------------------------------------------- -<<plugins-filters-memcached,memcached filter>>:: +[[memcached-def]]memcached filter:: -Enables key/value lookup enrichment against a Memcached object caching system. +The <<plugins-filters-memcached,memcached filter>> enables key/value lookup +enrichment against a Memcached object caching system. It supports both read (GET) and write (SET) operations. It is a notable addition -for security analytics use cases. For example, you can use this plugin to query -for a value, and set it if not found. -+ -[source,txt] ------ -filter { - memcached { - url => "http://example.com" - verb => GET - body => {TODO-complete example - } -} ------ +for security analytics use cases. -<<plugins-filters-translate,translate filter>>:: +[[translate-def]]translate filter:: -Replaces field contents based on replacement values specified in a hash or file. +The <<plugins-filters-translate,translate filter>> replaces field contents based on replacement values specified in a hash or file. Currently supports these file types: YAML, JSON, and CSV. + The following example takes the value of the `response_code` field, translates @@ -624,10 +611,9 @@ filter { } -------------------------------------------------------------------------------- +[[useragent-def]]useragent filter:: -<<plugins-filters-useragent,useragent filter>>:: - -Parses user agent strings into fields. +The <<plugins-filters-useragent,useragent filter>> parses user agent strings into fields. + The following example takes the user agent string in the `agent` field, parses it into user agent fields, and adds the user agent fields to a new field called
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077mitrex_refsource_MISC
- security.netapp.com/advisory/ntap-20190411-0002/mitrex_refsource_CONFIRM
- www.elastic.co/community/securitymitrex_refsource_MISC
News mentions
0No linked articles in our index yet.