Elastic Logstash
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Elastic Logstash.
EOL Dates
Ensure that you are using a supported version of Elastic Logstash. Here are some end of life, and end of support dates for Elastic Logstash.
| Release | EOL Date | Status |
|---|---|---|
| 9 | - |
Active
|
| 8 | July 15, 2027 |
Active
Elastic Logstash 8 will become EOL in two years (in 2027). |
| 7 | January 15, 2026 |
Active
Elastic Logstash 7 will become EOL next year, in January 2026. |
| 6 | February 10, 2022 |
EOL
Elastic Logstash 6 became EOL in 2022. |
By the Year
In 2025 there have been 0 vulnerabilities in Elastic Logstash. Logstash did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 0 | 0.00 |
| 2024 | 0 | 0.00 |
| 2023 | 1 | 5.50 |
| 2022 | 0 | 0.00 |
| 2021 | 1 | 3.70 |
| 2020 | 0 | 0.00 |
| 2019 | 2 | 8.65 |
| 2018 | 1 | 6.50 |
It may take a day or so for new Logstash vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Elastic Logstash Security Vulnerabilities
An issue was identified by Elastic whereby sensitive information is recorded in Logstash logs under specific circumstances
CVE-2023-46672
5.5 - Medium
- November 15, 2023
An issue was identified by Elastic whereby sensitive information is recorded in Logstash logs under specific circumstances. The prerequisites for the manifestation of this issue are: * Logstash is configured to log in JSON format https://www.elastic.co/guide/en/logstash/current/running-logstash-command-line.html , which is not the default logging format. * Sensitive data is stored in the Logstash keystore and referenced as a variable in Logstash configuration.
Insertion of Sensitive Information into Log File
In Logstash versions after 6.4.0 and before 6.8.15 and 7.12.0 a TLS certificate validation flaw was found in the monitoring feature
CVE-2021-22138
3.7 - Low
- May 13, 2021
In Logstash versions after 6.4.0 and before 6.8.15 and 7.12.0 a TLS certificate validation flaw was found in the monitoring feature. When specifying a trusted server CA certificate Logstash would not properly verify the certificate returned by the monitoring server. This could result in a man in the middle style attack against the Logstash monitoring data.
Improper Certificate Validation
Logstash versions before 7.4.1 and 6.8.4 contain a denial of service flaw in the Logstash Beats input plugin
CVE-2019-7620
7.5 - High
- October 30, 2019
Logstash versions before 7.4.1 and 6.8.4 contain a denial of service flaw in the Logstash Beats input plugin. An unauthenticated user who is able to connect to the port the Logstash beats input could send a specially crafted network packet that would cause Logstash to stop responding.
Improper Input Validation
A sensitive data disclosure flaw was found in the way Logstash versions before 5.6.15 and 6.6.1 logs malformed URLs
CVE-2019-7612
9.8 - Critical
- March 25, 2019
A sensitive data disclosure flaw was found in the way Logstash versions before 5.6.15 and 6.6.1 logs malformed URLs. If a malformed URL is specified as part of the Logstash configuration, the credentials for the URL could be inadvertently logged as part of the error message.
Credentials Management Errors
When logging warnings regarding deprecated settings
CVE-2018-3817
6.5 - Medium
- March 30, 2018
When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log sensitive information.
Information Disclosure
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Elastic Logstash or by Elastic? Click the Watch button to subscribe.
