Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2018-3817 (GCVE-0-2018-3817)
Vulnerability from cvelistv5 – Published: 2018-03-30 20:00 – Updated: 2024-08-05 04:57
VLAI?
EPSS
Summary
When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log sensitive information.
Severity ?
No CVSS data available.
CWE
- CWE-532 - Information Exposure Through Log Files
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Date Public ?
2018-01-16 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T04:57:22.973Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://discuss.elastic.co/t/elastic-stack-6-1-2-and-5-6-6-security-update/115763"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Logstash",
"vendor": "Elastic",
"versions": [
{
"status": "affected",
"version": "Before 6.1.2 or 5.6.6"
}
]
}
],
"datePublic": "2018-01-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log sensitive information."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Information Exposure Through Log Files",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-30T19:57:01.000Z",
"orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a",
"shortName": "elastic"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://discuss.elastic.co/t/elastic-stack-6-1-2-and-5-6-6-security-update/115763"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@elastic.co",
"ID": "CVE-2018-3817",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Logstash",
"version": {
"version_data": [
{
"version_value": "Before 6.1.2 or 5.6.6"
}
]
}
}
]
},
"vendor_name": "Elastic"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log sensitive information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-532: Information Exposure Through Log Files"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://discuss.elastic.co/t/elastic-stack-6-1-2-and-5-6-6-security-update/115763",
"refsource": "CONFIRM",
"url": "https://discuss.elastic.co/t/elastic-stack-6-1-2-and-5-6-6-security-update/115763"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a",
"assignerShortName": "elastic",
"cveId": "CVE-2018-3817",
"datePublished": "2018-03-30T20:00:00.000Z",
"dateReserved": "2018-01-02T00:00:00.000Z",
"dateUpdated": "2024-08-05T04:57:22.973Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2018-3817\",\"sourceIdentifier\":\"security@elastic.co\",\"published\":\"2018-03-30T20:29:00.227\",\"lastModified\":\"2024-11-21T04:06:05.577\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log sensitive information.\"},{\"lang\":\"es\",\"value\":\"Cuando se registran avisos sobre configuraciones obsoletas, Logstash en versiones anteriores a la 5.6.6 y 6.x anteriores a la 6.1.2 podr\u00eda registrar de manera inadvertida informaci\u00f3n sensible.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:N/A:N\",\"baseScore\":4.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security@elastic.co\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-532\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:elastic:logstash:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.6.6\",\"matchCriteriaId\":\"48B4D383-B1C5-4076-A489-B52CB2EE7456\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:elastic:logstash:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.0.0\",\"versionEndExcluding\":\"6.1.2\",\"matchCriteriaId\":\"CE89EA35-5BB9-4E33-958C-0101DD806C15\"}]}]}],\"references\":[{\"url\":\"https://discuss.elastic.co/t/elastic-stack-6-1-2-and-5-6-6-security-update/115763\",\"source\":\"security@elastic.co\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://discuss.elastic.co/t/elastic-stack-6-1-2-and-5-6-6-security-update/115763\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
}
}
CNVD-2018-08330
Vulnerability from cnvd - Published: 2018-04-25
VLAI Severity ?
Title
Elasticsearch Logstash信息泄露漏洞(CNVD-2018-08330)
Description
Elasticsearch Logstash是荷兰Elasticsearch公司的一套日志分析和监控工具。该工具提供日志或事件的搜索、处理和管理等功能。
Elasticsearch Logstash存在信息泄露漏洞。攻击者可以利用此漏洞访问受影响系统上的敏感信息。
Severity
中
Patch Name
Elasticsearch Logstash信息泄露漏洞(CNVD-2018-08330)的补丁
Patch Description
Elasticsearch Logstash是荷兰Elasticsearch公司的一套日志分析和监控工具。该工具提供日志或事件的搜索、处理和管理等功能。
Elasticsearch Logstash存在信息泄露漏洞。攻击者可以利用此漏洞访问受影响系统上的敏感信息。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
目前厂商已发布升级补丁以修复漏洞,补丁获取链接: https://discuss.elastic.co/t/elastic-stack-6-1-2-and-5-6-6-security-update/115763
Reference
https://tools.cisco.com/security/center/viewAlert.x?alertId=57304
Impacted products
| Name | ['ElasticSearch Logstash <5.6.6', 'ElasticSearch Logstash 6.*,<6.1.2'] |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2018-3817"
}
},
"description": "Elasticsearch Logstash\u662f\u8377\u5170Elasticsearch\u516c\u53f8\u7684\u4e00\u5957\u65e5\u5fd7\u5206\u6790\u548c\u76d1\u63a7\u5de5\u5177\u3002\u8be5\u5de5\u5177\u63d0\u4f9b\u65e5\u5fd7\u6216\u4e8b\u4ef6\u7684\u641c\u7d22\u3001\u5904\u7406\u548c\u7ba1\u7406\u7b49\u529f\u80fd\u3002\r\n\r\nElasticsearch Logstash\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6b64\u6f0f\u6d1e\u8bbf\u95ee\u53d7\u5f71\u54cd\u7cfb\u7edf\u4e0a\u7684\u654f\u611f\u4fe1\u606f\u3002",
"discovererName": "unknwon",
"formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://discuss.elastic.co/t/elastic-stack-6-1-2-and-5-6-6-security-update/115763",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2018-08330",
"openTime": "2018-04-25",
"patchDescription": "Elasticsearch Logstash\u662f\u8377\u5170Elasticsearch\u516c\u53f8\u7684\u4e00\u5957\u65e5\u5fd7\u5206\u6790\u548c\u76d1\u63a7\u5de5\u5177\u3002\u8be5\u5de5\u5177\u63d0\u4f9b\u65e5\u5fd7\u6216\u4e8b\u4ef6\u7684\u641c\u7d22\u3001\u5904\u7406\u548c\u7ba1\u7406\u7b49\u529f\u80fd\u3002\r\n\r\nElasticsearch Logstash\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6b64\u6f0f\u6d1e\u8bbf\u95ee\u53d7\u5f71\u54cd\u7cfb\u7edf\u4e0a\u7684\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "Elasticsearch Logstash\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2018-08330\uff09\u7684\u8865\u4e01",
"products": {
"product": [
"ElasticSearch Logstash \u003c5.6.6",
"ElasticSearch Logstash 6.*\uff0c\u003c6.1.2"
]
},
"referenceLink": "https://tools.cisco.com/security/center/viewAlert.x?alertId=57304",
"serverity": "\u4e2d",
"submitTime": "2018-04-04",
"title": "Elasticsearch Logstash\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2018-08330\uff09"
}
GHSA-M5WV-852X-CJ2G
Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32
VLAI?
Details
When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log sensitive information.
Severity ?
6.5 (Medium)
{
"affected": [],
"aliases": [
"CVE-2018-3817"
],
"database_specific": {
"cwe_ids": [
"CWE-200"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-30T20:29:00Z",
"severity": "MODERATE"
},
"details": "When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log sensitive information.",
"id": "GHSA-m5wv-852x-cj2g",
"modified": "2022-05-13T01:32:18Z",
"published": "2022-05-13T01:32:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3817"
},
{
"type": "WEB",
"url": "https://discuss.elastic.co/t/elastic-stack-6-1-2-and-5-6-6-security-update/115763"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
SUSE-SU-2018:2536-1
Vulnerability from csaf_suse - Published: 2018-08-28 09:05 - Updated: 2018-08-28 09:05Summary
Security update for grafana, kafka, logstash and monasca-installer
Severity
Moderate
Notes
Title of the patch: Security update for grafana, kafka, logstash and monasca-installer
Description of the patch: This update for grafana, kafka, logstash and monasca-installer fixes the following issues:
The following security issues have been fixed:
grafana:
- CVE-2018-12099: Fix Cross-Site-Scripting (XSS) vulnerabilities in dashboard links. (bsc#1096985)
kafka:
- CVE-2018-1288: Authenticated Kafka users may perform action reserved for the Broker via a manually created fetch
request interfering with data replication, resulting in data loss. (bsc#1102920)
logstash:
- CVE-2018-3817: Fix potential leak of sensitive data when logging warnings about deprecated options. (bsc#1090849)
Additionally, the following non-security issues have been fixed:
monasca-installer:
- Add complete set of elasticsearch performance tunables.
- Update to version Build_20180427_14.04 (bsc#1090192, bsc#1090343)
- Fix bad elasticsearch-curator configuration. (bsc#1090192)
- Enable bootstrap.memory_lock for Elasticsearch. (bsc#1090343)
logstash:
- Declare Gemfile as config to prevent loss of installed plugins when updating.
- Stop installing prebuilt jruby for non-x86.
kafka:
- Update to version 0.10.2.2 (bsc#1102920, CVE-2018-1288)
- Add noreplace directive for /etc/kafka/server.properties.
- Reduce package ownership of tmpfiles.d to bare minium. (SLE12 SP2)
- Set log rotation options. (bsc#1094448)
- Disable jmxremote debugging. (bsc#1095603)
- Increase open file limits. (bsc#1086909)
Patchnames: SUSE-OpenStack-Cloud-7-2018-1771
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.3 (Medium)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
8.1 (High)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
4.3 (Medium)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for grafana, kafka, logstash and monasca-installer",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for grafana, kafka, logstash and monasca-installer fixes the following issues:\n\nThe following security issues have been fixed:\n\ngrafana:\n\n- CVE-2018-12099: Fix Cross-Site-Scripting (XSS) vulnerabilities in dashboard links. (bsc#1096985)\n\nkafka:\n\n- CVE-2018-1288: Authenticated Kafka users may perform action reserved for the Broker via a manually created fetch\n request interfering with data replication, resulting in data loss. (bsc#1102920)\n\nlogstash:\n\n- CVE-2018-3817: Fix potential leak of sensitive data when logging warnings about deprecated options. (bsc#1090849)\n\nAdditionally, the following non-security issues have been fixed:\n\nmonasca-installer:\n\n- Add complete set of elasticsearch performance tunables.\n- Update to version Build_20180427_14.04 (bsc#1090192, bsc#1090343)\n- Fix bad elasticsearch-curator configuration. (bsc#1090192)\n- Enable bootstrap.memory_lock for Elasticsearch. (bsc#1090343)\n\nlogstash:\n\n- Declare Gemfile as config to prevent loss of installed plugins when updating.\n- Stop installing prebuilt jruby for non-x86.\n\nkafka: \n\n- Update to version 0.10.2.2 (bsc#1102920, CVE-2018-1288)\n- Add noreplace directive for /etc/kafka/server.properties.\n- Reduce package ownership of tmpfiles.d to bare minium. (SLE12 SP2) \n- Set log rotation options. (bsc#1094448)\n- Disable jmxremote debugging. (bsc#1095603)\n- Increase open file limits. (bsc#1086909)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-OpenStack-Cloud-7-2018-1771",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2018_2536-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2018:2536-1",
"url": "https://www.suse.com/support/update/announcement/2018/suse-su-20182536-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2018:2536-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2018-August/004502.html"
},
{
"category": "self",
"summary": "SUSE Bug 1086909",
"url": "https://bugzilla.suse.com/1086909"
},
{
"category": "self",
"summary": "SUSE Bug 1090192",
"url": "https://bugzilla.suse.com/1090192"
},
{
"category": "self",
"summary": "SUSE Bug 1090343",
"url": "https://bugzilla.suse.com/1090343"
},
{
"category": "self",
"summary": "SUSE Bug 1090849",
"url": "https://bugzilla.suse.com/1090849"
},
{
"category": "self",
"summary": "SUSE Bug 1094448",
"url": "https://bugzilla.suse.com/1094448"
},
{
"category": "self",
"summary": "SUSE Bug 1095603",
"url": "https://bugzilla.suse.com/1095603"
},
{
"category": "self",
"summary": "SUSE Bug 1096985",
"url": "https://bugzilla.suse.com/1096985"
},
{
"category": "self",
"summary": "SUSE Bug 1102920",
"url": "https://bugzilla.suse.com/1102920"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-12099 page",
"url": "https://www.suse.com/security/cve/CVE-2018-12099/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-1288 page",
"url": "https://www.suse.com/security/cve/CVE-2018-1288/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-3817 page",
"url": "https://www.suse.com/security/cve/CVE-2018-3817/"
}
],
"title": "Security update for grafana, kafka, logstash and monasca-installer",
"tracking": {
"current_release_date": "2018-08-28T09:05:28Z",
"generator": {
"date": "2018-08-28T09:05:28Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2018:2536-1",
"initial_release_date": "2018-08-28T09:05:28Z",
"revision_history": [
{
"date": "2018-08-28T09:05:28Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "monasca-installer-20180608_12.47-9.1.noarch",
"product": {
"name": "monasca-installer-20180608_12.47-9.1.noarch",
"product_id": "monasca-installer-20180608_12.47-9.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-4.5.1-1.8.1.x86_64",
"product": {
"name": "grafana-4.5.1-1.8.1.x86_64",
"product_id": "grafana-4.5.1-1.8.1.x86_64"
}
},
{
"category": "product_version",
"name": "kafka-0.10.2.2-5.1.x86_64",
"product": {
"name": "kafka-0.10.2.2-5.1.x86_64",
"product_id": "kafka-0.10.2.2-5.1.x86_64"
}
},
{
"category": "product_version",
"name": "logstash-2.4.1-5.1.x86_64",
"product": {
"name": "logstash-2.4.1-5.1.x86_64",
"product_id": "logstash-2.4.1-5.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE OpenStack Cloud 7",
"product": {
"name": "SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse-openstack-cloud:7"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-4.5.1-1.8.1.x86_64 as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:grafana-4.5.1-1.8.1.x86_64"
},
"product_reference": "grafana-4.5.1-1.8.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kafka-0.10.2.2-5.1.x86_64 as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:kafka-0.10.2.2-5.1.x86_64"
},
"product_reference": "kafka-0.10.2.2-5.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "logstash-2.4.1-5.1.x86_64 as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:logstash-2.4.1-5.1.x86_64"
},
"product_reference": "logstash-2.4.1-5.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "monasca-installer-20180608_12.47-9.1.noarch as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:monasca-installer-20180608_12.47-9.1.noarch"
},
"product_reference": "monasca-installer-20180608_12.47-9.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-12099",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-12099"
}
],
"notes": [
{
"category": "general",
"text": "Grafana before 5.2.0-beta1 has XSS vulnerabilities in dashboard links.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 7:grafana-4.5.1-1.8.1.x86_64",
"SUSE OpenStack Cloud 7:kafka-0.10.2.2-5.1.x86_64",
"SUSE OpenStack Cloud 7:logstash-2.4.1-5.1.x86_64",
"SUSE OpenStack Cloud 7:monasca-installer-20180608_12.47-9.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-12099",
"url": "https://www.suse.com/security/cve/CVE-2018-12099"
},
{
"category": "external",
"summary": "SUSE Bug 1096985 for CVE-2018-12099",
"url": "https://bugzilla.suse.com/1096985"
},
{
"category": "external",
"summary": "SUSE Bug 1172450 for CVE-2018-12099",
"url": "https://bugzilla.suse.com/1172450"
},
{
"category": "external",
"summary": "SUSE Bug 1174583 for CVE-2018-12099",
"url": "https://bugzilla.suse.com/1174583"
},
{
"category": "external",
"summary": "SUSE Bug 1175951 for CVE-2018-12099",
"url": "https://bugzilla.suse.com/1175951"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 7:grafana-4.5.1-1.8.1.x86_64",
"SUSE OpenStack Cloud 7:kafka-0.10.2.2-5.1.x86_64",
"SUSE OpenStack Cloud 7:logstash-2.4.1-5.1.x86_64",
"SUSE OpenStack Cloud 7:monasca-installer-20180608_12.47-9.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"SUSE OpenStack Cloud 7:grafana-4.5.1-1.8.1.x86_64",
"SUSE OpenStack Cloud 7:kafka-0.10.2.2-5.1.x86_64",
"SUSE OpenStack Cloud 7:logstash-2.4.1-5.1.x86_64",
"SUSE OpenStack Cloud 7:monasca-installer-20180608_12.47-9.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-08-28T09:05:28Z",
"details": "moderate"
}
],
"title": "CVE-2018-12099"
},
{
"cve": "CVE-2018-1288",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-1288"
}
],
"notes": [
{
"category": "general",
"text": "In Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.0 to 0.11.0.2, and 1.0.0, authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request interfering with data replication, resulting in data loss.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 7:grafana-4.5.1-1.8.1.x86_64",
"SUSE OpenStack Cloud 7:kafka-0.10.2.2-5.1.x86_64",
"SUSE OpenStack Cloud 7:logstash-2.4.1-5.1.x86_64",
"SUSE OpenStack Cloud 7:monasca-installer-20180608_12.47-9.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-1288",
"url": "https://www.suse.com/security/cve/CVE-2018-1288"
},
{
"category": "external",
"summary": "SUSE Bug 1102920 for CVE-2018-1288",
"url": "https://bugzilla.suse.com/1102920"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 7:grafana-4.5.1-1.8.1.x86_64",
"SUSE OpenStack Cloud 7:kafka-0.10.2.2-5.1.x86_64",
"SUSE OpenStack Cloud 7:logstash-2.4.1-5.1.x86_64",
"SUSE OpenStack Cloud 7:monasca-installer-20180608_12.47-9.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.0"
},
"products": [
"SUSE OpenStack Cloud 7:grafana-4.5.1-1.8.1.x86_64",
"SUSE OpenStack Cloud 7:kafka-0.10.2.2-5.1.x86_64",
"SUSE OpenStack Cloud 7:logstash-2.4.1-5.1.x86_64",
"SUSE OpenStack Cloud 7:monasca-installer-20180608_12.47-9.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-08-28T09:05:28Z",
"details": "important"
}
],
"title": "CVE-2018-1288"
},
{
"cve": "CVE-2018-3817",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-3817"
}
],
"notes": [
{
"category": "general",
"text": "When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log sensitive information.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 7:grafana-4.5.1-1.8.1.x86_64",
"SUSE OpenStack Cloud 7:kafka-0.10.2.2-5.1.x86_64",
"SUSE OpenStack Cloud 7:logstash-2.4.1-5.1.x86_64",
"SUSE OpenStack Cloud 7:monasca-installer-20180608_12.47-9.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-3817",
"url": "https://www.suse.com/security/cve/CVE-2018-3817"
},
{
"category": "external",
"summary": "SUSE Bug 1090849 for CVE-2018-3817",
"url": "https://bugzilla.suse.com/1090849"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 7:grafana-4.5.1-1.8.1.x86_64",
"SUSE OpenStack Cloud 7:kafka-0.10.2.2-5.1.x86_64",
"SUSE OpenStack Cloud 7:logstash-2.4.1-5.1.x86_64",
"SUSE OpenStack Cloud 7:monasca-installer-20180608_12.47-9.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"SUSE OpenStack Cloud 7:grafana-4.5.1-1.8.1.x86_64",
"SUSE OpenStack Cloud 7:kafka-0.10.2.2-5.1.x86_64",
"SUSE OpenStack Cloud 7:logstash-2.4.1-5.1.x86_64",
"SUSE OpenStack Cloud 7:monasca-installer-20180608_12.47-9.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-08-28T09:05:28Z",
"details": "moderate"
}
],
"title": "CVE-2018-3817"
}
]
}
SUSE-SU-2018:2317-1
Vulnerability from csaf_suse - Published: 2018-08-14 06:03 - Updated: 2018-08-14 06:03Summary
Security update for grafana, kafka, logstash, openstack-monasca-installer
Severity
Moderate
Notes
Title of the patch: Security update for grafana, kafka, logstash, openstack-monasca-installer
Description of the patch: This update for grafana, kafka, logstash, openstack-monasca-installer fixes the following issues:
Security issues fixed:
- CVE-2018-12099: grafana: Fix XSS vulnerabilities in dashboard links (bsc#1096985).
- CVE-2018-3817: logstash: Fix inadvertently logging of sensitive information (bsc#1090849).
Bug fixes:
- bsc#1095603: Disable jmxremote debugging.
- bsc#1097847: Make time series database schema setup conditional.
- bsc#1094448: Set log rotation options.
- bsc#1090336: Add complete set of elasticsearch performance tunables.
- bsc#1101366: Fix build issues with s390x, ppc64le and aarch64.
- Fix various spec errors affecting Leap 15 and Tumbleweed
Patchnames: HPE-Helion-OpenStack-8-2018-1553,SUSE-OpenStack-Cloud-8-2018-1553,SUSE-OpenStack-Cloud-Crowbar-8-2018-1553
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.3 (Medium)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
4.3 (Medium)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
| URL | Category | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for grafana, kafka, logstash, openstack-monasca-installer",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for grafana, kafka, logstash, openstack-monasca-installer fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2018-12099: grafana: Fix XSS vulnerabilities in dashboard links (bsc#1096985).\n- CVE-2018-3817: logstash: Fix inadvertently logging of sensitive information (bsc#1090849).\n\nBug fixes:\n\n- bsc#1095603: Disable jmxremote debugging.\n- bsc#1097847: Make time series database schema setup conditional.\n- bsc#1094448: Set log rotation options.\n- bsc#1090336: Add complete set of elasticsearch performance tunables.\n- bsc#1101366: Fix build issues with s390x, ppc64le and aarch64.\n- Fix various spec errors affecting Leap 15 and Tumbleweed \n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "HPE-Helion-OpenStack-8-2018-1553,SUSE-OpenStack-Cloud-8-2018-1553,SUSE-OpenStack-Cloud-Crowbar-8-2018-1553",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2018_2317-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2018:2317-1",
"url": "https://www.suse.com/support/update/announcement/2018/suse-su-20182317-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2018:2317-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2018-August/004406.html"
},
{
"category": "self",
"summary": "SUSE Bug 1090336",
"url": "https://bugzilla.suse.com/1090336"
},
{
"category": "self",
"summary": "SUSE Bug 1090849",
"url": "https://bugzilla.suse.com/1090849"
},
{
"category": "self",
"summary": "SUSE Bug 1094448",
"url": "https://bugzilla.suse.com/1094448"
},
{
"category": "self",
"summary": "SUSE Bug 1095603",
"url": "https://bugzilla.suse.com/1095603"
},
{
"category": "self",
"summary": "SUSE Bug 1096985",
"url": "https://bugzilla.suse.com/1096985"
},
{
"category": "self",
"summary": "SUSE Bug 1097847",
"url": "https://bugzilla.suse.com/1097847"
},
{
"category": "self",
"summary": "SUSE Bug 1101366",
"url": "https://bugzilla.suse.com/1101366"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-12099 page",
"url": "https://www.suse.com/security/cve/CVE-2018-12099/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-3817 page",
"url": "https://www.suse.com/security/cve/CVE-2018-3817/"
}
],
"title": "Security update for grafana, kafka, logstash, openstack-monasca-installer",
"tracking": {
"current_release_date": "2018-08-14T06:03:57Z",
"generator": {
"date": "2018-08-14T06:03:57Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2018:2317-1",
"initial_release_date": "2018-08-14T06:03:57Z",
"revision_history": [
{
"date": "2018-08-14T06:03:57Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "openstack-monasca-installer-20180622_15.06-3.6.1.noarch",
"product": {
"name": "openstack-monasca-installer-20180622_15.06-3.6.1.noarch",
"product_id": "openstack-monasca-installer-20180622_15.06-3.6.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-4.5.1-4.3.1.x86_64",
"product": {
"name": "grafana-4.5.1-4.3.1.x86_64",
"product_id": "grafana-4.5.1-4.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "kafka-0.9.0.1-5.3.1.x86_64",
"product": {
"name": "kafka-0.9.0.1-5.3.1.x86_64",
"product_id": "kafka-0.9.0.1-5.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "logstash-2.4.1-5.4.1.x86_64",
"product": {
"name": "logstash-2.4.1-5.4.1.x86_64",
"product_id": "logstash-2.4.1-5.4.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "HPE Helion OpenStack 8",
"product": {
"name": "HPE Helion OpenStack 8",
"product_id": "HPE Helion OpenStack 8",
"product_identification_helper": {
"cpe": "cpe:/o:suse:hpe-helion-openstack:8"
}
}
},
{
"category": "product_name",
"name": "SUSE OpenStack Cloud 8",
"product": {
"name": "SUSE OpenStack Cloud 8",
"product_id": "SUSE OpenStack Cloud 8",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse-openstack-cloud:8"
}
}
},
{
"category": "product_name",
"name": "SUSE OpenStack Cloud Crowbar 8",
"product": {
"name": "SUSE OpenStack Cloud Crowbar 8",
"product_id": "SUSE OpenStack Cloud Crowbar 8",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse-openstack-cloud-crowbar:8"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-4.5.1-4.3.1.x86_64 as component of HPE Helion OpenStack 8",
"product_id": "HPE Helion OpenStack 8:grafana-4.5.1-4.3.1.x86_64"
},
"product_reference": "grafana-4.5.1-4.3.1.x86_64",
"relates_to_product_reference": "HPE Helion OpenStack 8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kafka-0.9.0.1-5.3.1.x86_64 as component of HPE Helion OpenStack 8",
"product_id": "HPE Helion OpenStack 8:kafka-0.9.0.1-5.3.1.x86_64"
},
"product_reference": "kafka-0.9.0.1-5.3.1.x86_64",
"relates_to_product_reference": "HPE Helion OpenStack 8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "logstash-2.4.1-5.4.1.x86_64 as component of HPE Helion OpenStack 8",
"product_id": "HPE Helion OpenStack 8:logstash-2.4.1-5.4.1.x86_64"
},
"product_reference": "logstash-2.4.1-5.4.1.x86_64",
"relates_to_product_reference": "HPE Helion OpenStack 8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-monasca-installer-20180622_15.06-3.6.1.noarch as component of HPE Helion OpenStack 8",
"product_id": "HPE Helion OpenStack 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch"
},
"product_reference": "openstack-monasca-installer-20180622_15.06-3.6.1.noarch",
"relates_to_product_reference": "HPE Helion OpenStack 8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-4.5.1-4.3.1.x86_64 as component of SUSE OpenStack Cloud 8",
"product_id": "SUSE OpenStack Cloud 8:grafana-4.5.1-4.3.1.x86_64"
},
"product_reference": "grafana-4.5.1-4.3.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud 8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kafka-0.9.0.1-5.3.1.x86_64 as component of SUSE OpenStack Cloud 8",
"product_id": "SUSE OpenStack Cloud 8:kafka-0.9.0.1-5.3.1.x86_64"
},
"product_reference": "kafka-0.9.0.1-5.3.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud 8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "logstash-2.4.1-5.4.1.x86_64 as component of SUSE OpenStack Cloud 8",
"product_id": "SUSE OpenStack Cloud 8:logstash-2.4.1-5.4.1.x86_64"
},
"product_reference": "logstash-2.4.1-5.4.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud 8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-monasca-installer-20180622_15.06-3.6.1.noarch as component of SUSE OpenStack Cloud 8",
"product_id": "SUSE OpenStack Cloud 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch"
},
"product_reference": "openstack-monasca-installer-20180622_15.06-3.6.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-4.5.1-4.3.1.x86_64 as component of SUSE OpenStack Cloud Crowbar 8",
"product_id": "SUSE OpenStack Cloud Crowbar 8:grafana-4.5.1-4.3.1.x86_64"
},
"product_reference": "grafana-4.5.1-4.3.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kafka-0.9.0.1-5.3.1.x86_64 as component of SUSE OpenStack Cloud Crowbar 8",
"product_id": "SUSE OpenStack Cloud Crowbar 8:kafka-0.9.0.1-5.3.1.x86_64"
},
"product_reference": "kafka-0.9.0.1-5.3.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "logstash-2.4.1-5.4.1.x86_64 as component of SUSE OpenStack Cloud Crowbar 8",
"product_id": "SUSE OpenStack Cloud Crowbar 8:logstash-2.4.1-5.4.1.x86_64"
},
"product_reference": "logstash-2.4.1-5.4.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-monasca-installer-20180622_15.06-3.6.1.noarch as component of SUSE OpenStack Cloud Crowbar 8",
"product_id": "SUSE OpenStack Cloud Crowbar 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch"
},
"product_reference": "openstack-monasca-installer-20180622_15.06-3.6.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-12099",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-12099"
}
],
"notes": [
{
"category": "general",
"text": "Grafana before 5.2.0-beta1 has XSS vulnerabilities in dashboard links.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"HPE Helion OpenStack 8:grafana-4.5.1-4.3.1.x86_64",
"HPE Helion OpenStack 8:kafka-0.9.0.1-5.3.1.x86_64",
"HPE Helion OpenStack 8:logstash-2.4.1-5.4.1.x86_64",
"HPE Helion OpenStack 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch",
"SUSE OpenStack Cloud 8:grafana-4.5.1-4.3.1.x86_64",
"SUSE OpenStack Cloud 8:kafka-0.9.0.1-5.3.1.x86_64",
"SUSE OpenStack Cloud 8:logstash-2.4.1-5.4.1.x86_64",
"SUSE OpenStack Cloud 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:grafana-4.5.1-4.3.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:kafka-0.9.0.1-5.3.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:logstash-2.4.1-5.4.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-12099",
"url": "https://www.suse.com/security/cve/CVE-2018-12099"
},
{
"category": "external",
"summary": "SUSE Bug 1096985 for CVE-2018-12099",
"url": "https://bugzilla.suse.com/1096985"
},
{
"category": "external",
"summary": "SUSE Bug 1172450 for CVE-2018-12099",
"url": "https://bugzilla.suse.com/1172450"
},
{
"category": "external",
"summary": "SUSE Bug 1174583 for CVE-2018-12099",
"url": "https://bugzilla.suse.com/1174583"
},
{
"category": "external",
"summary": "SUSE Bug 1175951 for CVE-2018-12099",
"url": "https://bugzilla.suse.com/1175951"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"HPE Helion OpenStack 8:grafana-4.5.1-4.3.1.x86_64",
"HPE Helion OpenStack 8:kafka-0.9.0.1-5.3.1.x86_64",
"HPE Helion OpenStack 8:logstash-2.4.1-5.4.1.x86_64",
"HPE Helion OpenStack 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch",
"SUSE OpenStack Cloud 8:grafana-4.5.1-4.3.1.x86_64",
"SUSE OpenStack Cloud 8:kafka-0.9.0.1-5.3.1.x86_64",
"SUSE OpenStack Cloud 8:logstash-2.4.1-5.4.1.x86_64",
"SUSE OpenStack Cloud 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:grafana-4.5.1-4.3.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:kafka-0.9.0.1-5.3.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:logstash-2.4.1-5.4.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"HPE Helion OpenStack 8:grafana-4.5.1-4.3.1.x86_64",
"HPE Helion OpenStack 8:kafka-0.9.0.1-5.3.1.x86_64",
"HPE Helion OpenStack 8:logstash-2.4.1-5.4.1.x86_64",
"HPE Helion OpenStack 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch",
"SUSE OpenStack Cloud 8:grafana-4.5.1-4.3.1.x86_64",
"SUSE OpenStack Cloud 8:kafka-0.9.0.1-5.3.1.x86_64",
"SUSE OpenStack Cloud 8:logstash-2.4.1-5.4.1.x86_64",
"SUSE OpenStack Cloud 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:grafana-4.5.1-4.3.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:kafka-0.9.0.1-5.3.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:logstash-2.4.1-5.4.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-08-14T06:03:57Z",
"details": "moderate"
}
],
"title": "CVE-2018-12099"
},
{
"cve": "CVE-2018-3817",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-3817"
}
],
"notes": [
{
"category": "general",
"text": "When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log sensitive information.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"HPE Helion OpenStack 8:grafana-4.5.1-4.3.1.x86_64",
"HPE Helion OpenStack 8:kafka-0.9.0.1-5.3.1.x86_64",
"HPE Helion OpenStack 8:logstash-2.4.1-5.4.1.x86_64",
"HPE Helion OpenStack 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch",
"SUSE OpenStack Cloud 8:grafana-4.5.1-4.3.1.x86_64",
"SUSE OpenStack Cloud 8:kafka-0.9.0.1-5.3.1.x86_64",
"SUSE OpenStack Cloud 8:logstash-2.4.1-5.4.1.x86_64",
"SUSE OpenStack Cloud 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:grafana-4.5.1-4.3.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:kafka-0.9.0.1-5.3.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:logstash-2.4.1-5.4.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-3817",
"url": "https://www.suse.com/security/cve/CVE-2018-3817"
},
{
"category": "external",
"summary": "SUSE Bug 1090849 for CVE-2018-3817",
"url": "https://bugzilla.suse.com/1090849"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"HPE Helion OpenStack 8:grafana-4.5.1-4.3.1.x86_64",
"HPE Helion OpenStack 8:kafka-0.9.0.1-5.3.1.x86_64",
"HPE Helion OpenStack 8:logstash-2.4.1-5.4.1.x86_64",
"HPE Helion OpenStack 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch",
"SUSE OpenStack Cloud 8:grafana-4.5.1-4.3.1.x86_64",
"SUSE OpenStack Cloud 8:kafka-0.9.0.1-5.3.1.x86_64",
"SUSE OpenStack Cloud 8:logstash-2.4.1-5.4.1.x86_64",
"SUSE OpenStack Cloud 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:grafana-4.5.1-4.3.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:kafka-0.9.0.1-5.3.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:logstash-2.4.1-5.4.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"HPE Helion OpenStack 8:grafana-4.5.1-4.3.1.x86_64",
"HPE Helion OpenStack 8:kafka-0.9.0.1-5.3.1.x86_64",
"HPE Helion OpenStack 8:logstash-2.4.1-5.4.1.x86_64",
"HPE Helion OpenStack 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch",
"SUSE OpenStack Cloud 8:grafana-4.5.1-4.3.1.x86_64",
"SUSE OpenStack Cloud 8:kafka-0.9.0.1-5.3.1.x86_64",
"SUSE OpenStack Cloud 8:logstash-2.4.1-5.4.1.x86_64",
"SUSE OpenStack Cloud 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:grafana-4.5.1-4.3.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:kafka-0.9.0.1-5.3.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:logstash-2.4.1-5.4.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:openstack-monasca-installer-20180622_15.06-3.6.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-08-14T06:03:57Z",
"details": "moderate"
}
],
"title": "CVE-2018-3817"
}
]
}
FKIE_CVE-2018-3817
Vulnerability from fkie_nvd - Published: 2018-03-30 20:29 - Updated: 2024-11-21 04:06
Severity ?
Summary
When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log sensitive information.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:elastic:logstash:*:*:*:*:*:*:*:*",
"matchCriteriaId": "48B4D383-B1C5-4076-A489-B52CB2EE7456",
"versionEndExcluding": "5.6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:elastic:logstash:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CE89EA35-5BB9-4E33-958C-0101DD806C15",
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "6.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log sensitive information."
},
{
"lang": "es",
"value": "Cuando se registran avisos sobre configuraciones obsoletas, Logstash en versiones anteriores a la 5.6.6 y 6.x anteriores a la 6.1.2 podr\u00eda registrar de manera inadvertida informaci\u00f3n sensible."
}
],
"id": "CVE-2018-3817",
"lastModified": "2024-11-21T04:06:05.577",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-03-30T20:29:00.227",
"references": [
{
"source": "security@elastic.co",
"tags": [
"Vendor Advisory"
],
"url": "https://discuss.elastic.co/t/elastic-stack-6-1-2-and-5-6-6-security-update/115763"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://discuss.elastic.co/t/elastic-stack-6-1-2-and-5-6-6-security-update/115763"
}
],
"sourceIdentifier": "security@elastic.co",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-532"
}
],
"source": "security@elastic.co",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GSD-2018-3817
Vulnerability from gsd - Updated: 2023-12-13 01:22Details
When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log sensitive information.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2018-3817",
"description": "When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log sensitive information.",
"id": "GSD-2018-3817",
"references": [
"https://www.suse.com/security/cve/CVE-2018-3817.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2018-3817"
],
"details": "When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log sensitive information.",
"id": "GSD-2018-3817",
"modified": "2023-12-13T01:22:43.067028Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@elastic.co",
"ID": "CVE-2018-3817",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Logstash",
"version": {
"version_data": [
{
"version_value": "Before 6.1.2 or 5.6.6"
}
]
}
}
]
},
"vendor_name": "Elastic"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log sensitive information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-532: Information Exposure Through Log Files"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://discuss.elastic.co/t/elastic-stack-6-1-2-and-5-6-6-security-update/115763",
"refsource": "CONFIRM",
"url": "https://discuss.elastic.co/t/elastic-stack-6-1-2-and-5-6-6-security-update/115763"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:elastic:logstash:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.6.6",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:elastic:logstash:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "6.1.2",
"versionStartIncluding": "6.0.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security@elastic.co",
"ID": "CVE-2018-3817"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log sensitive information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://discuss.elastic.co/t/elastic-stack-6-1-2-and-5-6-6-security-update/115763",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "https://discuss.elastic.co/t/elastic-stack-6-1-2-and-5-6-6-security-update/115763"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6
}
},
"lastModifiedDate": "2019-10-09T23:40Z",
"publishedDate": "2018-03-30T20:29Z"
}
}
}
Loading…
Show additional events:
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…