Platform
other
Component
logstash
Fixed in
6.4.1
CVE-2021-22138 describes a TLS certificate validation flaw discovered in Logstash. This vulnerability allows attackers to potentially intercept and manipulate monitoring data transmitted between Logstash and its monitoring server through a man-in-the-middle attack. The vulnerability affects Logstash versions after 6.4.0 and before 6.8.15, as well as versions 7.11.x. A fix is available in Logstash 6.8.15 and 7.12.0.
The core of this vulnerability lies in Logstash's monitoring feature. When configured to use a trusted server CA certificate, Logstash fails to properly verify the certificate presented by the monitoring server. This oversight creates a critical opportunity for attackers. A malicious actor positioned between Logstash and the monitoring server could intercept the monitoring data stream, presenting a forged certificate to Logstash. Logstash, unaware of the deception, would accept the fraudulent certificate and transmit sensitive monitoring data to the attacker. The data at risk includes metrics, logs, and potentially other operational information, providing attackers with valuable insights into the system's behavior and security posture. Lateral movement within the network could be facilitated if the monitoring data reveals credentials or internal network configurations. The blast radius extends to any systems or data processed by Logstash.
CVE-2021-22138 was publicly disclosed on May 13, 2021. There is no indication of this CVE being added to the CISA KEV catalog. As of the current date, there are no publicly available proof-of-concept exploits. However, the potential for man-in-the-middle attacks makes this a concerning vulnerability, particularly in environments where Logstash is used to collect and process sensitive data.
Exploit Status
EPSS
0.11% (29% percentile)
The primary mitigation for CVE-2021-22138 is to upgrade Logstash to version 6.8.15 or 7.12.0, which contain the fix for this certificate validation flaw. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Ensure that network traffic between Logstash and the monitoring server is isolated and protected by strong network segmentation. Implement strict firewall rules to limit access to the monitoring endpoint. While not a direct fix, enabling mutual TLS (mTLS) between Logstash and the monitoring server can add an additional layer of security, requiring both parties to authenticate each other’s certificates. After upgrading, confirm the fix by verifying that Logstash correctly validates the monitoring server's certificate using a tool like openssl sclient -connect <monitoringserver_ip>:<port> -showcerts.
Update Logstash to version 6.8.15 or 7.12.0 or later. This corrects the incorrect TLS certificate validation in the monitoring feature, preventing man-in-the-middle attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2021-22138 is a vulnerability in Logstash where the TLS certificate validation process is flawed, allowing potential man-in-the-middle attacks on monitoring data.
You are affected if you are running Logstash versions between 6.4.0 (after 6.4.0) and 6.8.14, or any version of 7.11.x.
Upgrade Logstash to version 6.8.15 or 7.12.0 to resolve the certificate validation flaw.
As of now, there are no confirmed reports of active exploitation, but the potential for MITM attacks remains a concern.
Refer to the Elastic security advisory for details: https://www.elastic.co/security/advisories/CVE-2021-22138
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.