cvelistv5 - cve-2018-3817

CVE-2018-3817 (GCVE-0-2018-3817)

Vulnerability from cvelistv5

Published

2018-03-30 20:00

Modified

2024-08-05 04:57

Severity ?

CWE

CWE-532 - Information Exposure Through Log Files

Summary

When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log sensitive information.

References

URL

	Vendor	Product	Version
	Elastic	Logstash	Version: Before 6.1.2 or 5.6.6

fkie_cve-2018-3817

Vulnerability from fkie_nvd

Published

2018-03-30 20:29

Modified

2024-11-21 04:06

Severity ?

6.5 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log sensitive information.

References

	URL	Tags
	bressers@elastic.co	https://discuss.elastic.co/t/elastic-stack-6-1-2-and-5-6-6-security-update/115763	Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://discuss.elastic.co/t/elastic-stack-6-1-2-and-5-6-6-security-update/115763	Vendor Advisory

Impacted products

	Vendor	Product	Version
	elastic	logstash	*
	elastic	logstash	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:elastic:logstash:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "48B4D383-B1C5-4076-A489-B52CB2EE7456",
              "versionEndExcluding": "5.6.6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:elastic:logstash:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CE89EA35-5BB9-4E33-958C-0101DD806C15",
              "versionEndExcluding": "6.1.2",
              "versionStartIncluding": "6.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log sensitive information."
    },
    {
      "lang": "es",
      "value": "Cuando se registran avisos sobre configuraciones obsoletas, Logstash en versiones anteriores a la 5.6.6 y 6.x anteriores a la 6.1.2 podr\u00eda registrar de manera inadvertida informaci\u00f3n sensible."
    }
  ],
  "id": "CVE-2018-3817",
  "lastModified": "2024-11-21T04:06:05.577",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 4.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-03-30T20:29:00.227",
  "references": [
    {
      "source": "bressers@elastic.co",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://discuss.elastic.co/t/elastic-stack-6-1-2-and-5-6-6-security-update/115763"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://discuss.elastic.co/t/elastic-stack-6-1-2-and-5-6-6-security-update/115763"
    }
  ],
  "sourceIdentifier": "bressers@elastic.co",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-532"
        }
      ],
      "source": "bressers@elastic.co",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

gsd-2018-3817

Vulnerability from gsd

Modified

2023-12-13 01:22

Details

When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log sensitive information.

Aliases

CVE-2018-3817

Aliases

CVE-2018-3817

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2018-3817",
    "description": "When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log sensitive information.",
    "id": "GSD-2018-3817",
    "references": [
      "https://www.suse.com/security/cve/CVE-2018-3817.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2018-3817"
      ],
      "details": "When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log sensitive information.",
      "id": "GSD-2018-3817",
      "modified": "2023-12-13T01:22:43.067028Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@elastic.co",
        "ID": "CVE-2018-3817",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Logstash",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "Before 6.1.2 or 5.6.6"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Elastic"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log sensitive information."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-532: Information Exposure Through Log Files"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://discuss.elastic.co/t/elastic-stack-6-1-2-and-5-6-6-security-update/115763",
            "refsource": "CONFIRM",
            "url": "https://discuss.elastic.co/t/elastic-stack-6-1-2-and-5-6-6-security-update/115763"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:elastic:logstash:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "5.6.6",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:elastic:logstash:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "6.1.2",
                "versionStartIncluding": "6.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@elastic.co",
          "ID": "CVE-2018-3817"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log sensitive information."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-200"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://discuss.elastic.co/t/elastic-stack-6-1-2-and-5-6-6-security-update/115763",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://discuss.elastic.co/t/elastic-stack-6-1-2-and-5-6-6-security-update/115763"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2019-10-09T23:40Z",
      "publishedDate": "2018-03-30T20:29Z"
    }
  }
}

suse-su-2018:2536-1

Vulnerability from csaf_suse

Published

2018-08-28 09:05

Modified

2018-08-28 09:05

Summary

Security update for grafana, kafka, logstash and monasca-installer

Notes

Title of the patch

Security update for grafana, kafka, logstash and monasca-installer

Description of the patch

This update for grafana, kafka, logstash and monasca-installer fixes the following issues: The following security issues have been fixed: grafana: - CVE-2018-12099: Fix Cross-Site-Scripting (XSS) vulnerabilities in dashboard links. (bsc#1096985) kafka: - CVE-2018-1288: Authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request interfering with data replication, resulting in data loss. (bsc#1102920) logstash: - CVE-2018-3817: Fix potential leak of sensitive data when logging warnings about deprecated options. (bsc#1090849) Additionally, the following non-security issues have been fixed: monasca-installer: - Add complete set of elasticsearch performance tunables. - Update to version Build_20180427_14.04 (bsc#1090192, bsc#1090343) - Fix bad elasticsearch-curator configuration. (bsc#1090192) - Enable bootstrap.memory_lock for Elasticsearch. (bsc#1090343) logstash: - Declare Gemfile as config to prevent loss of installed plugins when updating. - Stop installing prebuilt jruby for non-x86. kafka: - Update to version 0.10.2.2 (bsc#1102920, CVE-2018-1288) - Add noreplace directive for /etc/kafka/server.properties. - Reduce package ownership of tmpfiles.d to bare minium. (SLE12 SP2) - Set log rotation options. (bsc#1094448) - Disable jmxremote debugging. (bsc#1095603) - Increase open file limits. (bsc#1086909)

Patchnames

SUSE-OpenStack-Cloud-7-2018-1771

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for grafana, kafka, logstash and monasca-installer",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for grafana, kafka, logstash and monasca-installer fixes the following issues:\n\nThe following security issues have been fixed:\n\ngrafana:\n\n- CVE-2018-12099: Fix Cross-Site-Scripting (XSS) vulnerabilities in dashboard links. (bsc#1096985)\n\nkafka:\n\n- CVE-2018-1288: Authenticated Kafka users may perform action reserved for the Broker via a manually created fetch\n  request interfering with data replication, resulting in data loss. (bsc#1102920)\n\nlogstash:\n\n- CVE-2018-3817: Fix potential leak of sensitive data when logging warnings about deprecated options. (bsc#1090849)\n\nAdditionally, the following non-security issues have been fixed:\n\nmonasca-installer:\n\n- Add complete set of elasticsearch performance tunables.\n- Update to version Build_20180427_14.04 (bsc#1090192, bsc#1090343)\n- Fix bad elasticsearch-curator configuration. (bsc#1090192)\n- Enable bootstrap.memory_lock for Elasticsearch. (bsc#1090343)\n\nlogstash:\n\n- Declare Gemfile as config to prevent loss of installed plugins when updating.\n- Stop installing prebuilt jruby for non-x86.\n\nkafka: \n\n- Update to version 0.10.2.2 (bsc#1102920, CVE-2018-1288)\n- Add noreplace directive for /etc/kafka/server.properties.\n- Reduce package ownership of tmpfiles.d to bare minium. (SLE12 SP2) \n- Set log rotation options. (bsc#1094448)\n- Disable jmxremote debugging. (bsc#1095603)\n- Increase open file limits. (bsc#1086909)\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-OpenStack-Cloud-7-2018-1771",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2018_2536-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2018:2536-1",
        "url": "https://www.suse.com/support/update/announcement/2018/suse-su-20182536-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2018:2536-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2018-August/004502.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1086909",
        "url": "https://bugzilla.suse.com/1086909"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1090192",
        "url": "https://bugzilla.suse.com/1090192"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1090343",
        "url": "https://bugzilla.suse.com/1090343"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1090849",
        "url": "https://bugzilla.suse.com/1090849"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1094448",
        "url": "https://bugzilla.suse.com/1094448"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1095603",
        "url": "https://bugzilla.suse.com/1095603"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1096985",
        "url": "https://bugzilla.suse.com/1096985"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1102920",
        "url": "https://bugzilla.suse.com/1102920"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2018-12099 page",
        "url": "https://www.suse.com/security/cve/CVE-2018-12099/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2018-1288 page",
        "url": "https://www.suse.com/security/cve/CVE-2018-1288/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2018-3817 page",
        "url": "https://www.suse.com/security/cve/CVE-2018-3817/"
      }
    ],
    "title": "Security update for grafana, kafka, logstash and monasca-installer",
    "tracking": {
      "current_release_date": "2018-08-28T09:05:28Z",
      "generator": {
        "date": "2018-08-28T09:05:28Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2018:2536-1",
      "initial_release_date": "2018-08-28T09:05:28Z",
      "revision_history": [
        {
          "date": "2018-08-28T09:05:28Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "monasca-installer-20180608_12.47-9.1.noarch",
                "product": {
                  "name": "monasca-installer-20180608_12.47-9.1.noarch",
                  "product_id": "monasca-installer-20180608_12.47-9.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "grafana-4.5.1-1.8.1.x86_64",
                "product": {
                  "name": "grafana-4.5.1-1.8.1.x86_64",
                  "product_id": "grafana-4.5.1-1.8.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kafka-0.10.2.2-5.1.x86_64",
                "product": {
                  "name": "kafka-0.10.2.2-5.1.x86_64",
                  "product_id": "kafka-0.10.2.2-5.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "logstash-2.4.1-5.1.x86_64",
                "product": {
                  "name": "logstash-2.4.1-5.1.x86_64",
                  "product_id": "logstash-2.4.1-5.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE OpenStack Cloud 7",
                "product": {
                  "name": "SUSE OpenStack Cloud 7",
                  "product_id": "SUSE OpenStack Cloud 7",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:suse-openstack-cloud:7"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "grafana-4.5.1-1.8.1.x86_64 as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:grafana-4.5.1-1.8.1.x86_64"
        },
        "product_reference": "grafana-4.5.1-1.8.1.x86_64",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kafka-0.10.2.2-5.1.x86_64 as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:kafka-0.10.2.2-5.1.x86_64"
        },
        "product_reference": "kafka-0.10.2.2-5.1.x86_64",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "logstash-2.4.1-5.1.x86_64 as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:logstash-2.4.1-5.1.x86_64"
        },
        "product_reference": "logstash-2.4.1-5.1.x86_64",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "monasca-installer-20180608_12.47-9.1.noarch as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:monasca-installer-20180608_12.47-9.1.noarch"
        },
        "product_reference": "monasca-installer-20180608_12.47-9.1.noarch",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2018-12099",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2018-12099"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Grafana before 5.2.0-beta1 has XSS vulnerabilities in dashboard links.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE OpenStack Cloud 7:grafana-4.5.1-1.8.1.x86_64",
          "SUSE OpenStack Cloud 7:kafka-0.10.2.2-5.1.x86_64",
          "SUSE OpenStack Cloud 7:logstash-2.4.1-5.1.x86_64",
          "SUSE OpenStack Cloud 7:monasca-installer-20180608_12.47-9.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2018-12099",
          "url": "https://www.suse.com/security/cve/CVE-2018-12099"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1096985 for CVE-2018-12099",
          "url": "https://bugzilla.suse.com/1096985"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1172450 for CVE-2018-12099",
          "url": "https://bugzilla.suse.com/1172450"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1174583 for CVE-2018-12099",
          "url": "https://bugzilla.suse.com/1174583"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1175951 for CVE-2018-12099",
          "url": "https://bugzilla.suse.com/1175951"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE OpenStack Cloud 7:grafana-4.5.1-1.8.1.x86_64",
            "SUSE OpenStack Cloud 7:kafka-0.10.2.2-5.1.x86_64",
            "SUSE OpenStack Cloud 7:logstash-2.4.1-5.1.x86_64",
            "SUSE OpenStack Cloud 7:monasca-installer-20180608_12.47-9.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.0"
          },
          "products": [
            "SUSE OpenStack Cloud 7:grafana-4.5.1-1.8.1.x86_64",
            "SUSE OpenStack Cloud 7:kafka-0.10.2.2-5.1.x86_64",
            "SUSE OpenStack Cloud 7:logstash-2.4.1-5.1.x86_64",
            "SUSE OpenStack Cloud 7:monasca-installer-20180608_12.47-9.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2018-08-28T09:05:28Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2018-12099"
    },
    {
      "cve": "CVE-2018-1288",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2018-1288"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, and 1.0.0, authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request interfering with data replication, resulting in data loss.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE OpenStack Cloud 7:grafana-4.5.1-1.8.1.x86_64",
          "SUSE OpenStack Cloud 7:kafka-0.10.2.2-5.1.x86_64",
          "SUSE OpenStack Cloud 7:logstash-2.4.1-5.1.x86_64",
          "SUSE OpenStack Cloud 7:monasca-installer-20180608_12.47-9.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2018-1288",
          "url": "https://www.suse.com/security/cve/CVE-2018-1288"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1102920 for CVE-2018-1288",
          "url": "https://bugzilla.suse.com/1102920"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE OpenStack Cloud 7:grafana-4.5.1-1.8.1.x86_64",
            "SUSE OpenStack Cloud 7:kafka-0.10.2.2-5.1.x86_64",
            "SUSE OpenStack Cloud 7:logstash-2.4.1-5.1.x86_64",
            "SUSE OpenStack Cloud 7:monasca-installer-20180608_12.47-9.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "SUSE OpenStack Cloud 7:grafana-4.5.1-1.8.1.x86_64",
            "SUSE OpenStack Cloud 7:kafka-0.10.2.2-5.1.x86_64",
            "SUSE OpenStack Cloud 7:logstash-2.4.1-5.1.x86_64",
            "SUSE OpenStack Cloud 7:monasca-installer-20180608_12.47-9.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2018-08-28T09:05:28Z",
          "details": "important"
        }
      ],
      "title": "CVE-2018-1288"
    },
    {
      "cve": "CVE-2018-3817",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2018-3817"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log sensitive information.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE OpenStack Cloud 7:grafana-4.5.1-1.8.1.x86_64",
          "SUSE OpenStack Cloud 7:kafka-0.10.2.2-5.1.x86_64",
          "SUSE OpenStack Cloud 7:logstash-2.4.1-5.1.x86_64",
          "SUSE OpenStack Cloud 7:monasca-installer-20180608_12.47-9.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2018-3817",
          "url": "https://www.suse.com/security/cve/CVE-2018-3817"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1090849 for CVE-2018-3817",
          "url": "https://bugzilla.suse.com/1090849"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE OpenStack Cloud 7:grafana-4.5.1-1.8.1.x86_64",
            "SUSE OpenStack Cloud 7:kafka-0.10.2.2-5.1.x86_64",
            "SUSE OpenStack Cloud 7:logstash-2.4.1-5.1.x86_64",
            "SUSE OpenStack Cloud 7:monasca-installer-20180608_12.47-9.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "SUSE OpenStack Cloud 7:grafana-4.5.1-1.8.1.x86_64",
            "SUSE OpenStack Cloud 7:kafka-0.10.2.2-5.1.x86_64",
            "SUSE OpenStack Cloud 7:logstash-2.4.1-5.1.x86_64",
            "SUSE OpenStack Cloud 7:monasca-installer-20180608_12.47-9.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2018-08-28T09:05:28Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2018-3817"
    }
  ]
}

suse-su-2018:2317-1

Vulnerability from csaf_suse

Published

2018-08-14 06:03

Modified

2018-08-14 06:03

Summary

Security update for grafana, kafka, logstash, openstack-monasca-installer

Notes

Title of the patch

Security update for grafana, kafka, logstash, openstack-monasca-installer

Description of the patch

This update for grafana, kafka, logstash, openstack-monasca-installer fixes the following issues: Security issues fixed: - CVE-2018-12099: grafana: Fix XSS vulnerabilities in dashboard links (bsc#1096985). - CVE-2018-3817: logstash: Fix inadvertently logging of sensitive information (bsc#1090849). Bug fixes: - bsc#1095603: Disable jmxremote debugging. - bsc#1097847: Make time series database schema setup conditional. - bsc#1094448: Set log rotation options. - bsc#1090336: Add complete set of elasticsearch performance tunables. - bsc#1101366: Fix build issues with s390x, ppc64le and aarch64. - Fix various spec errors affecting Leap 15 and Tumbleweed

Patchnames

HPE-Helion-OpenStack-8-2018-1553,SUSE-OpenStack-Cloud-8-2018-1553,SUSE-OpenStack-Cloud-Crowbar-8-2018-1553

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for grafana, kafka, logstash, openstack-monasca-installer",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for grafana, kafka, logstash, openstack-monasca-installer fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2018-12099: grafana: Fix XSS vulnerabilities in dashboard links (bsc#1096985).\n- CVE-2018-3817: logstash: Fix inadvertently logging of sensitive information (bsc#1090849).\n\nBug fixes:\n\n- bsc#1095603: Disable jmxremote debugging.\n- bsc#1097847: Make time series database schema setup conditional.\n- bsc#1094448: Set log rotation options.\n- bsc#1090336: Add complete set of elasticsearch performance tunables.\n- bsc#1101366: Fix build issues with s390x, ppc64le and aarch64.\n- Fix various spec errors affecting Leap 15 and Tumbleweed \n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "HPE-Helion-OpenStack-8-2018-1553,SUSE-OpenStack-Cloud-8-2018-1553,SUSE-OpenStack-Cloud-Crowbar-8-2018-1553",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2018_2317-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2018:2317-1",
        "url": "https://www.suse.com/support/update/announcement/2018/suse-su-20182317-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2018:2317-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2018-August/004406.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1090336",
        "url": "https://bugzilla.suse.com/1090336"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1090849",
        "url": "https://bugzilla.suse.com/1090849"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1094448",
        "url": "https://bugzilla.suse.com/1094448"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1095603",
        "url": "https://bugzilla.suse.com/1095603"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1096985",
        "url": "https://bugzilla.suse.com/1096985"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1097847",
        "url": "https://bugzilla.suse.com/1097847"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1101366",
        "url": "https://bugzilla.suse.com/1101366"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2018-12099 page",
        "url": "https://www.suse.com/security/cve/CVE-2018-12099/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2018-3817 page",
        "url": "https://www.suse.com/security/cve/CVE-2018-3817/"
      }
    ],
    "title": "Security update for grafana, kafka, logstash, openstack-monasca-installer",
    "tracking": {
      "current_release_date": "2018-08-14T06:03:57Z",
      "generator": {
        "date": "2018-08-14T06:03:57Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2018:2317-1",
      "initial_release_date": "2018-08-14T06:03:57Z",
      "revision_history": [
        {
          "date": "2018-08-14T06:03:57Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openstack-monasca-installer-20180622_15.06-3.6.1.noarch",
                "product": {
                  "name": "openstack-monasca-installer-20180622_15.06-3.6.1.noarch",
                  "product_id": "openstack-monasca-installer-20180622_15.06-3.6.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "grafana-4.5.1-4.3.1.x86_64",
                "product": {
                  "name": "grafana-4.5.1-4.3.1.x86_64",
                  "product_id": "grafana-4.5.1-4.3.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kafka-0.9.0.1-5.3.1.x86_64",
                "product": {
                  "name": "kafka-0.9.0.1-5.3.1.x86_64",
                  "product_id": "kafka-0.9.0.1-5.3.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "logstash-2.4.1-5.4.1.x86_64",
                "product": {
                  "name": "logstash-2.4.1-5.4.1.x86_64",
                  "product_id": "logstash-2.4.1-5.4.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "HPE Helion OpenStack 8",
                "product": {
                  "name": "HPE Helion OpenStack 8",
                  "product_id": "HPE Helion OpenStack 8",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:hpe-helion-openstack:8"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE OpenStack Cloud 8",
                "product": {
                  "name": "SUSE OpenStack Cloud 8",
                  "product_id": "SUSE OpenStack Cloud 8",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:suse-openstack-cloud:8"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE OpenStack Cloud Crowbar 8",
                "product": {
                  "name": "SUSE OpenStack Cloud Crowbar 8",
                  "product_id": "SUSE OpenStack Cloud Crowbar 8",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:suse-openstack-cloud-crowbar:8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "grafana-4.5.1-4.3.1.x86_64 as component of HPE Helion OpenStack 8",
          "product_id": "HPE Helion OpenStack 8:grafana-4.5.1-4.3.1.x86_64"
        },
        "product_reference": "grafana-4.5.1-4.3.1.x86_64",
        "relates_to_product_reference": "HPE Helion OpenStack 8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kafka-0.9.0.1-5.3.1.x86_64 as component of HPE Helion OpenStack 8",
          "product_id": "HPE Helion OpenStack 8:kafka-0.9.0.1-5.3.1.x86_64"
        },
        "product_reference": "kafka-0.9.0.1-5.3.1.x86_64",
        "relates_to_product_reference": "HPE Helion OpenStack 8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "logstash-2.4.1-5.4.1.x86_64 as component of HPE Helion OpenStack 8",
          "product_id": "HPE Helion OpenStack 8:logstash-2.4.1-5.4.1.x86_64"
        },
        "product_reference": "logstash-2.4.1-5.4.1.x86_64",
        "relates_to_product_reference": "HPE Helion OpenStack 8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-monasca-installer-20180622_15.06-3.6.1.noarch as component of HPE Helion OpenStack 8",
          "product_id": "HPE Helion OpenStack 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch"
        },
        "product_reference": "openstack-monasca-installer-20180622_15.06-3.6.1.noarch",
        "relates_to_product_reference": "HPE Helion OpenStack 8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "grafana-4.5.1-4.3.1.x86_64 as component of SUSE OpenStack Cloud 8",
          "product_id": "SUSE OpenStack Cloud 8:grafana-4.5.1-4.3.1.x86_64"
        },
        "product_reference": "grafana-4.5.1-4.3.1.x86_64",
        "relates_to_product_reference": "SUSE OpenStack Cloud 8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kafka-0.9.0.1-5.3.1.x86_64 as component of SUSE OpenStack Cloud 8",
          "product_id": "SUSE OpenStack Cloud 8:kafka-0.9.0.1-5.3.1.x86_64"
        },
        "product_reference": "kafka-0.9.0.1-5.3.1.x86_64",
        "relates_to_product_reference": "SUSE OpenStack Cloud 8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "logstash-2.4.1-5.4.1.x86_64 as component of SUSE OpenStack Cloud 8",
          "product_id": "SUSE OpenStack Cloud 8:logstash-2.4.1-5.4.1.x86_64"
        },
        "product_reference": "logstash-2.4.1-5.4.1.x86_64",
        "relates_to_product_reference": "SUSE OpenStack Cloud 8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-monasca-installer-20180622_15.06-3.6.1.noarch as component of SUSE OpenStack Cloud 8",
          "product_id": "SUSE OpenStack Cloud 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch"
        },
        "product_reference": "openstack-monasca-installer-20180622_15.06-3.6.1.noarch",
        "relates_to_product_reference": "SUSE OpenStack Cloud 8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "grafana-4.5.1-4.3.1.x86_64 as component of SUSE OpenStack Cloud Crowbar 8",
          "product_id": "SUSE OpenStack Cloud Crowbar 8:grafana-4.5.1-4.3.1.x86_64"
        },
        "product_reference": "grafana-4.5.1-4.3.1.x86_64",
        "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kafka-0.9.0.1-5.3.1.x86_64 as component of SUSE OpenStack Cloud Crowbar 8",
          "product_id": "SUSE OpenStack Cloud Crowbar 8:kafka-0.9.0.1-5.3.1.x86_64"
        },
        "product_reference": "kafka-0.9.0.1-5.3.1.x86_64",
        "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "logstash-2.4.1-5.4.1.x86_64 as component of SUSE OpenStack Cloud Crowbar 8",
          "product_id": "SUSE OpenStack Cloud Crowbar 8:logstash-2.4.1-5.4.1.x86_64"
        },
        "product_reference": "logstash-2.4.1-5.4.1.x86_64",
        "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-monasca-installer-20180622_15.06-3.6.1.noarch as component of SUSE OpenStack Cloud Crowbar 8",
          "product_id": "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch"
        },
        "product_reference": "openstack-monasca-installer-20180622_15.06-3.6.1.noarch",
        "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2018-12099",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2018-12099"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Grafana before 5.2.0-beta1 has XSS vulnerabilities in dashboard links.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "HPE Helion OpenStack 8:grafana-4.5.1-4.3.1.x86_64",
          "HPE Helion OpenStack 8:kafka-0.9.0.1-5.3.1.x86_64",
          "HPE Helion OpenStack 8:logstash-2.4.1-5.4.1.x86_64",
          "HPE Helion OpenStack 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch",
          "SUSE OpenStack Cloud 8:grafana-4.5.1-4.3.1.x86_64",
          "SUSE OpenStack Cloud 8:kafka-0.9.0.1-5.3.1.x86_64",
          "SUSE OpenStack Cloud 8:logstash-2.4.1-5.4.1.x86_64",
          "SUSE OpenStack Cloud 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch",
          "SUSE OpenStack Cloud Crowbar 8:grafana-4.5.1-4.3.1.x86_64",
          "SUSE OpenStack Cloud Crowbar 8:kafka-0.9.0.1-5.3.1.x86_64",
          "SUSE OpenStack Cloud Crowbar 8:logstash-2.4.1-5.4.1.x86_64",
          "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2018-12099",
          "url": "https://www.suse.com/security/cve/CVE-2018-12099"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1096985 for CVE-2018-12099",
          "url": "https://bugzilla.suse.com/1096985"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1172450 for CVE-2018-12099",
          "url": "https://bugzilla.suse.com/1172450"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1174583 for CVE-2018-12099",
          "url": "https://bugzilla.suse.com/1174583"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1175951 for CVE-2018-12099",
          "url": "https://bugzilla.suse.com/1175951"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "HPE Helion OpenStack 8:grafana-4.5.1-4.3.1.x86_64",
            "HPE Helion OpenStack 8:kafka-0.9.0.1-5.3.1.x86_64",
            "HPE Helion OpenStack 8:logstash-2.4.1-5.4.1.x86_64",
            "HPE Helion OpenStack 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch",
            "SUSE OpenStack Cloud 8:grafana-4.5.1-4.3.1.x86_64",
            "SUSE OpenStack Cloud 8:kafka-0.9.0.1-5.3.1.x86_64",
            "SUSE OpenStack Cloud 8:logstash-2.4.1-5.4.1.x86_64",
            "SUSE OpenStack Cloud 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch",
            "SUSE OpenStack Cloud Crowbar 8:grafana-4.5.1-4.3.1.x86_64",
            "SUSE OpenStack Cloud Crowbar 8:kafka-0.9.0.1-5.3.1.x86_64",
            "SUSE OpenStack Cloud Crowbar 8:logstash-2.4.1-5.4.1.x86_64",
            "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.0"
          },
          "products": [
            "HPE Helion OpenStack 8:grafana-4.5.1-4.3.1.x86_64",
            "HPE Helion OpenStack 8:kafka-0.9.0.1-5.3.1.x86_64",
            "HPE Helion OpenStack 8:logstash-2.4.1-5.4.1.x86_64",
            "HPE Helion OpenStack 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch",
            "SUSE OpenStack Cloud 8:grafana-4.5.1-4.3.1.x86_64",
            "SUSE OpenStack Cloud 8:kafka-0.9.0.1-5.3.1.x86_64",
            "SUSE OpenStack Cloud 8:logstash-2.4.1-5.4.1.x86_64",
            "SUSE OpenStack Cloud 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch",
            "SUSE OpenStack Cloud Crowbar 8:grafana-4.5.1-4.3.1.x86_64",
            "SUSE OpenStack Cloud Crowbar 8:kafka-0.9.0.1-5.3.1.x86_64",
            "SUSE OpenStack Cloud Crowbar 8:logstash-2.4.1-5.4.1.x86_64",
            "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2018-08-14T06:03:57Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2018-12099"
    },
    {
      "cve": "CVE-2018-3817",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2018-3817"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log sensitive information.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "HPE Helion OpenStack 8:grafana-4.5.1-4.3.1.x86_64",
          "HPE Helion OpenStack 8:kafka-0.9.0.1-5.3.1.x86_64",
          "HPE Helion OpenStack 8:logstash-2.4.1-5.4.1.x86_64",
          "HPE Helion OpenStack 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch",
          "SUSE OpenStack Cloud 8:grafana-4.5.1-4.3.1.x86_64",
          "SUSE OpenStack Cloud 8:kafka-0.9.0.1-5.3.1.x86_64",
          "SUSE OpenStack Cloud 8:logstash-2.4.1-5.4.1.x86_64",
          "SUSE OpenStack Cloud 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch",
          "SUSE OpenStack Cloud Crowbar 8:grafana-4.5.1-4.3.1.x86_64",
          "SUSE OpenStack Cloud Crowbar 8:kafka-0.9.0.1-5.3.1.x86_64",
          "SUSE OpenStack Cloud Crowbar 8:logstash-2.4.1-5.4.1.x86_64",
          "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2018-3817",
          "url": "https://www.suse.com/security/cve/CVE-2018-3817"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1090849 for CVE-2018-3817",
          "url": "https://bugzilla.suse.com/1090849"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "HPE Helion OpenStack 8:grafana-4.5.1-4.3.1.x86_64",
            "HPE Helion OpenStack 8:kafka-0.9.0.1-5.3.1.x86_64",
            "HPE Helion OpenStack 8:logstash-2.4.1-5.4.1.x86_64",
            "HPE Helion OpenStack 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch",
            "SUSE OpenStack Cloud 8:grafana-4.5.1-4.3.1.x86_64",
            "SUSE OpenStack Cloud 8:kafka-0.9.0.1-5.3.1.x86_64",
            "SUSE OpenStack Cloud 8:logstash-2.4.1-5.4.1.x86_64",
            "SUSE OpenStack Cloud 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch",
            "SUSE OpenStack Cloud Crowbar 8:grafana-4.5.1-4.3.1.x86_64",
            "SUSE OpenStack Cloud Crowbar 8:kafka-0.9.0.1-5.3.1.x86_64",
            "SUSE OpenStack Cloud Crowbar 8:logstash-2.4.1-5.4.1.x86_64",
            "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "HPE Helion OpenStack 8:grafana-4.5.1-4.3.1.x86_64",
            "HPE Helion OpenStack 8:kafka-0.9.0.1-5.3.1.x86_64",
            "HPE Helion OpenStack 8:logstash-2.4.1-5.4.1.x86_64",
            "HPE Helion OpenStack 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch",
            "SUSE OpenStack Cloud 8:grafana-4.5.1-4.3.1.x86_64",
            "SUSE OpenStack Cloud 8:kafka-0.9.0.1-5.3.1.x86_64",
            "SUSE OpenStack Cloud 8:logstash-2.4.1-5.4.1.x86_64",
            "SUSE OpenStack Cloud 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch",
            "SUSE OpenStack Cloud Crowbar 8:grafana-4.5.1-4.3.1.x86_64",
            "SUSE OpenStack Cloud Crowbar 8:kafka-0.9.0.1-5.3.1.x86_64",
            "SUSE OpenStack Cloud Crowbar 8:logstash-2.4.1-5.4.1.x86_64",
            "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2018-08-14T06:03:57Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2018-3817"
    }
  ]
}

ghsa-m5wv-852x-cj2g

Vulnerability from github

Published

2022-05-13 01:32

Modified

2022-05-13 01:32

Severity ?

6.5 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log sensitive information.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2018-3817"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-30T20:29:00Z",
    "severity": "MODERATE"
  },
  "details": "When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log sensitive information.",
  "id": "GHSA-m5wv-852x-cj2g",
  "modified": "2022-05-13T01:32:18Z",
  "published": "2022-05-13T01:32:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3817"
    },
    {
      "type": "WEB",
      "url": "https://discuss.elastic.co/t/elastic-stack-6-1-2-and-5-6-6-security-update/115763"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

cnvd-2018-08330

Vulnerability from cnvd

Title

Elasticsearch Logstash信息泄露漏洞（CNVD-2018-08330）

Description

Elasticsearch Logstash是荷兰Elasticsearch公司的一套日志分析和监控工具。该工具提供日志或事件的搜索、处理和管理等功能。 Elasticsearch Logstash存在信息泄露漏洞。攻击者可以利用此漏洞访问受影响系统上的敏感信息。

Severity

中

Patch Name

Elasticsearch Logstash信息泄露漏洞（CNVD-2018-08330）的补丁

Patch Description

Elasticsearch Logstash是荷兰Elasticsearch公司的一套日志分析和监控工具。该工具提供日志或事件的搜索、处理和管理等功能。 Elasticsearch Logstash存在信息泄露漏洞。攻击者可以利用此漏洞访问受影响系统上的敏感信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://discuss.elastic.co/t/elastic-stack-6-1-2-and-5-6-6-security-update/115763

Reference

https://tools.cisco.com/security/center/viewAlert.x?alertId=57304

Impacted products

Name
['ElasticSearch Logstash <5.6.6', 'ElasticSearch Logstash 6.*，<6.1.2']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-3817"
    }
  },
  "description": "Elasticsearch Logstash\u662f\u8377\u5170Elasticsearch\u516c\u53f8\u7684\u4e00\u5957\u65e5\u5fd7\u5206\u6790\u548c\u76d1\u63a7\u5de5\u5177\u3002\u8be5\u5de5\u5177\u63d0\u4f9b\u65e5\u5fd7\u6216\u4e8b\u4ef6\u7684\u641c\u7d22\u3001\u5904\u7406\u548c\u7ba1\u7406\u7b49\u529f\u80fd\u3002\r\n\r\nElasticsearch Logstash\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6b64\u6f0f\u6d1e\u8bbf\u95ee\u53d7\u5f71\u54cd\u7cfb\u7edf\u4e0a\u7684\u654f\u611f\u4fe1\u606f\u3002",
  "discovererName": "unknwon",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://discuss.elastic.co/t/elastic-stack-6-1-2-and-5-6-6-security-update/115763",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-08330",
  "openTime": "2018-04-25",
  "patchDescription": "Elasticsearch Logstash\u662f\u8377\u5170Elasticsearch\u516c\u53f8\u7684\u4e00\u5957\u65e5\u5fd7\u5206\u6790\u548c\u76d1\u63a7\u5de5\u5177\u3002\u8be5\u5de5\u5177\u63d0\u4f9b\u65e5\u5fd7\u6216\u4e8b\u4ef6\u7684\u641c\u7d22\u3001\u5904\u7406\u548c\u7ba1\u7406\u7b49\u529f\u80fd\u3002\r\n\r\nElasticsearch Logstash\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6b64\u6f0f\u6d1e\u8bbf\u95ee\u53d7\u5f71\u54cd\u7cfb\u7edf\u4e0a\u7684\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Elasticsearch Logstash\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2018-08330\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "ElasticSearch Logstash \u003c5.6.6",
      "ElasticSearch Logstash 6.*\uff0c\u003c6.1.2"
    ]
  },
  "referenceLink": "https://tools.cisco.com/security/center/viewAlert.x?alertId=57304",
  "serverity": "\u4e2d",
  "submitTime": "2018-04-04",
  "title": "Elasticsearch Logstash\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2018-08330\uff09"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2018-3817 (GCVE-0-2018-3817)

Vulnerability from cvelistv5

fkie_cve-2018-3817

Vulnerability from fkie_nvd

gsd-2018-3817

Vulnerability from gsd

suse-su-2018:2536-1

Vulnerability from csaf_suse

suse-su-2018:2317-1

Vulnerability from csaf_suse

ghsa-m5wv-852x-cj2g

Vulnerability from github

cnvd-2018-08330

Vulnerability from cnvd

Tags

Sightings

Nomenclature