プラットフォーム
other
コンポーネント
logstash
修正版
6.4.1
CVE-2021-22138 describes a TLS certificate validation flaw discovered in Logstash. This vulnerability allows attackers to potentially intercept and manipulate monitoring data transmitted between Logstash and its monitoring server through a man-in-the-middle attack. The vulnerability affects Logstash versions after 6.4.0 and before 6.8.15, as well as versions 7.11.x. A fix is available in Logstash 6.8.15 and 7.12.0.
The core of this vulnerability lies in Logstash's monitoring feature. When configured to use a trusted server CA certificate, Logstash fails to properly verify the certificate presented by the monitoring server. This oversight creates a critical opportunity for attackers. A malicious actor positioned between Logstash and the monitoring server could intercept the monitoring data stream, presenting a forged certificate to Logstash. Logstash, unaware of the deception, would accept the fraudulent certificate and transmit sensitive monitoring data to the attacker. The data at risk includes metrics, logs, and potentially other operational information, providing attackers with valuable insights into the system's behavior and security posture. Lateral movement within the network could be facilitated if the monitoring data reveals credentials or internal network configurations. The blast radius extends to any systems or data processed by Logstash.
CVE-2021-22138 was publicly disclosed on May 13, 2021. There is no indication of this CVE being added to the CISA KEV catalog. As of the current date, there are no publicly available proof-of-concept exploits. However, the potential for man-in-the-middle attacks makes this a concerning vulnerability, particularly in environments where Logstash is used to collect and process sensitive data.
Organizations heavily reliant on Logstash for centralized logging and monitoring are at significant risk. This includes environments with sensitive data flowing through Logstash, such as financial institutions, healthcare providers, and government agencies. Specifically, deployments using custom CA certificates for monitoring and those with less stringent network security controls are particularly vulnerable.
• linux / server:
journalctl -u logstash | grep -i "certificate validation"• generic web:
curl -I <logstash_monitoring_endpoint>Inspect the response headers for any unusual certificate information or signs of tampering. • linux / server:
lsof -i :5044 # Replace 5044 with the Logstash monitoring portCheck for unexpected connections to the monitoring port.
disclosure
patch
エクスプロイト状況
EPSS
0.11% (29% パーセンタイル)
The primary mitigation for CVE-2021-22138 is to upgrade Logstash to version 6.8.15 or 7.12.0, which contain the fix for this certificate validation flaw. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Ensure that network traffic between Logstash and the monitoring server is isolated and protected by strong network segmentation. Implement strict firewall rules to limit access to the monitoring endpoint. While not a direct fix, enabling mutual TLS (mTLS) between Logstash and the monitoring server can add an additional layer of security, requiring both parties to authenticate each other’s certificates. After upgrading, confirm the fix by verifying that Logstash correctly validates the monitoring server's certificate using a tool like openssl sclient -connect <monitoringserver_ip>:<port> -showcerts.
Logstashを6.8.15または7.12.0以降のバージョンにアップデートしてください。これにより、監視機能におけるTLS証明書の不適切な検証が修正され、中間者攻撃を防ぐことができます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2021-22138 is a vulnerability in Logstash where the TLS certificate validation process is flawed, allowing potential man-in-the-middle attacks on monitoring data.
You are affected if you are running Logstash versions between 6.4.0 (after 6.4.0) and 6.8.14, or any version of 7.11.x.
Upgrade Logstash to version 6.8.15 or 7.12.0 to resolve the certificate validation flaw.
As of now, there are no confirmed reports of active exploitation, but the potential for MITM attacks remains a concern.
Refer to the Elastic security advisory for details: https://www.elastic.co/security/advisories/CVE-2021-22138