CVE-2023-46672
📋 TL;DR
CVE-2023-46672 is a Logstash vulnerability where sensitive information from the keystore can be exposed in JSON-formatted logs when referenced as variables in configuration. This affects Logstash instances using non-default JSON logging format with keystore references. Attackers with access to logs could obtain credentials and other sensitive data.
💻 Affected Systems
- Elastic Logstash
📦 What is this software?
Logstash by Elastic
Logstash by Elastic
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of sensitive credentials (API keys, passwords, certificates) stored in Logstash keystore leading to data breaches, lateral movement, and system takeover.
Likely Case
Exposure of specific credentials referenced in configurations, potentially allowing unauthorized access to connected systems and services.
If Mitigated
Limited exposure with proper access controls and monitoring, but still represents an information disclosure risk.
🎯 Exploit Status
Exploitation requires read access to Logstash logs. No authentication bypass needed if logs are accessible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Logstash 8.11.1 and later
Vendor Advisory: https://discuss.elastic.co/t/logstash-8-11-1-security-update-esa-2023-26/347191
Restart Required: Yes
Instructions:
1. Backup Logstash configurations and data. 2. Download Logstash 8.11.1 or later from elastic.co. 3. Stop Logstash service. 4. Install/upgrade to patched version. 5. Restart Logstash service. 6. Verify logs no longer contain sensitive data.
🔧 Temporary Workarounds
Disable JSON logging format
allSwitch from JSON logging format to default plain text format to prevent sensitive data exposure.
Set log.format: plain in logstash.yml or use --log.format plain command line flag
Restrict log file permissions
linuxApply strict file permissions to Logstash log files to limit access.
chmod 600 /var/log/logstash/*.log
chown logstash:logstash /var/log/logstash/*.log
🧯 If You Can't Patch
- Disable JSON logging format immediately and audit logs for exposed credentials
- Rotate all credentials stored in Logstash keystore and implement strict log access controls
🔍 How to Verify
Check if Vulnerable:
Check if using JSON logging (log.format: json in logstash.yml or --log.format json) AND keystore variables in configuration.Check Version:
/usr/share/logstash/bin/logstash --versionVerify Fix Applied:
After patching, verify Logstash version is 8.11.1+ and check logs no longer contain keystore variable values.📡 Detection & Monitoring
Log Indicators:
- Sensitive strings (passwords, API keys) appearing in JSON-formatted Logstash logs
- Patterns matching keystore variable names in log entries
Network Indicators:
- Unauthorized access attempts to log files or Logstash management interfaces
SIEM Query:
source="logstash*" AND log_level="INFO" AND ("password" OR "api_key" OR "secret" OR "token") AND log_format="json"🔗 References
- https://discuss.elastic.co/t/logstash-8-11-1-security-update-esa-2023-26/347191
- https://security.netapp.com/advisory/ntap-20240125-0002/
- https://security.netapp.com/advisory/ntap-20240229-0001/
- https://www.elastic.co/community/security
- https://discuss.elastic.co/t/logstash-8-11-1-security-update-esa-2023-26/347191
- https://security.netapp.com/advisory/ntap-20240125-0002/
- https://security.netapp.com/advisory/ntap-20240229-0001/
- https://www.elastic.co/community/security
