CVE-2023-46672 Overview
An information exposure vulnerability exists in Elastic Logstash that allows sensitive information to be recorded in Logstash logs under specific circumstances. This vulnerability occurs when Logstash is configured to log in JSON format (which is not the default logging format) and sensitive data is stored in the Logstash keystore and referenced as a variable in Logstash configuration.
Critical Impact
Sensitive credentials and secrets stored in the Logstash keystore may be exposed in plaintext within log files, potentially allowing local attackers with log access to obtain confidential information.
Affected Products
- Elastic Logstash (versions prior to 8.11.1)
- Elastic Logstash 7.12.1 and earlier 7.x versions
- Systems using JSON logging format with keystore variables
Discovery Timeline
- 2023-11-15 - CVE-2023-46672 published to NVD
- 2025-02-13 - Last updated in NVD database
Technical Details for CVE-2023-46672
Vulnerability Analysis
This vulnerability is classified as CWE-532 (Insertion of Sensitive Information into Log File). The issue arises from how Logstash handles sensitive data when JSON logging is enabled. Under normal operations, the Logstash keystore provides a secure method for storing sensitive configuration values such as passwords, API keys, and other credentials. However, when JSON logging format is configured, the application inadvertently writes these sensitive values to log files in a recoverable format.
The vulnerability requires local access to exploit, as an attacker must be able to read the Logstash log files to extract the sensitive information. While this limits the attack surface, it presents significant risk in shared hosting environments, compromised systems, or scenarios where log files are aggregated to centralized logging platforms with insufficient access controls.
Root Cause
The root cause of this vulnerability lies in the improper handling of sensitive keystore variables during JSON log serialization. When Logstash processes configuration data for JSON logging output, it fails to properly redact or mask sensitive values that are referenced from the keystore. This results in plaintext credentials being written to log files, defeating the purpose of the secure keystore storage mechanism.
Attack Vector
The attack vector is local, requiring an attacker to have read access to the Logstash log files. Exploitation scenarios include:
- Local User Access: A local user with read permissions to the log directory can extract sensitive credentials
- Log Aggregation Exposure: If logs are shipped to a centralized logging system (SIEM, Elasticsearch, etc.), unauthorized users with access to that system could view the sensitive data
- Backup Exposure: Log files included in system backups may expose credentials to backup administrators
- Post-Compromise Data Harvesting: An attacker who gains initial access to a system could harvest credentials from log files for lateral movement
The vulnerability manifests when both conditions are met: JSON logging is enabled via the command-line --log.format=json flag or equivalent configuration, and sensitive values from the keystore are referenced in the Logstash pipeline configuration.
Detection Methods for CVE-2023-46672
Indicators of Compromise
- Presence of sensitive data (passwords, API keys, tokens) in Logstash log files in JSON format
- Unexpected log file access patterns from unauthorized users or processes
- Large-scale log file reads that may indicate credential harvesting
- Evidence of log files being copied or exfiltrated from the system
Detection Strategies
- Audit Logstash configuration files for log.format=json settings or command-line parameters
- Implement file integrity monitoring on Logstash log directories to detect unauthorized access
- Review access logs for the log file directories to identify suspicious read operations
- Scan existing JSON-formatted log files for patterns matching credential formats (API keys, passwords, tokens)
Monitoring Recommendations
- Enable audit logging for file access to Logstash log directories
- Monitor for new processes reading Logstash log files outside of normal operational patterns
- Implement alerts for bulk log file access that may indicate harvesting attempts
- Review centralized logging destinations for exposed sensitive data
How to Mitigate CVE-2023-46672
Immediate Actions Required
- Upgrade Elastic Logstash to version 8.11.1 or later immediately
- Review existing JSON-formatted log files for exposed sensitive information and rotate any compromised credentials
- If unable to upgrade immediately, switch from JSON logging format to the default logging format
- Restrict file system permissions on Logstash log directories to minimize exposure
Patch Information
Elastic has released Logstash version 8.11.1 which addresses this vulnerability. The security update is documented in Elastic Security Update ESA-2023-26. Organizations should prioritize upgrading to the patched version. Additional advisories have been released by NetApp for affected NetApp products.
Workarounds
- Disable JSON logging format by removing --log.format=json from Logstash startup parameters or configuration
- Avoid referencing keystore variables directly in configurations when JSON logging is required
- Implement strict file system permissions (e.g., chmod 600) on log files to limit read access
- Use environment variables or external secret management solutions as an alternative to keystore variables until patched
# Configuration example
# Disable JSON logging format in logstash.yml
log.format: plain
# Or when starting Logstash, do not use JSON format
# Instead of: bin/logstash --log.format=json
# Use default: bin/logstash
# Restrict log file permissions
chmod 600 /var/log/logstash/*.log
chown logstash:logstash /var/log/logstash/*.log
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
