Logstash Elastic Logstash

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Elastic Logstash.

EOL Dates

Ensure that you are using a supported version of Elastic Logstash. Here are some end of life, and end of support dates for Elastic Logstash.

Release EOL Date Status
9 -
Active

8 July 15, 2027
Active

Elastic Logstash 8 will become EOL in two years (in 2027).

7 January 15, 2026
Active

Elastic Logstash 7 will become EOL next year, in January 2026.

6 February 10, 2022
EOL

Elastic Logstash 6 became EOL in 2022.

By the Year

In 2025 there have been 0 vulnerabilities in Elastic Logstash. Logstash did not have any published security vulnerabilities last year.




Year Vulnerabilities Average Score
2025 0 0.00
2024 0 0.00
2023 1 5.50
2022 0 0.00
2021 1 3.70
2020 0 0.00
2019 2 8.65
2018 1 6.50

It may take a day or so for new Logstash vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Elastic Logstash Security Vulnerabilities

An issue was identified by Elastic whereby sensitive information is recorded in Logstash logs under specific circumstances

CVE-2023-46672 5.5 - Medium - November 15, 2023

An issue was identified by Elastic whereby sensitive information is recorded in Logstash logs under specific circumstances. The prerequisites for the manifestation of this issue are: * Logstash is configured to log in JSON format https://www.elastic.co/guide/en/logstash/current/running-logstash-command-line.html , which is not the default logging format. * Sensitive data is stored in the Logstash keystore and referenced as a variable in Logstash configuration.

Insertion of Sensitive Information into Log File

In Logstash versions after 6.4.0 and before 6.8.15 and 7.12.0 a TLS certificate validation flaw was found in the monitoring feature

CVE-2021-22138 3.7 - Low - May 13, 2021

In Logstash versions after 6.4.0 and before 6.8.15 and 7.12.0 a TLS certificate validation flaw was found in the monitoring feature. When specifying a trusted server CA certificate Logstash would not properly verify the certificate returned by the monitoring server. This could result in a man in the middle style attack against the Logstash monitoring data.

Improper Certificate Validation

Logstash versions before 7.4.1 and 6.8.4 contain a denial of service flaw in the Logstash Beats input plugin

CVE-2019-7620 7.5 - High - October 30, 2019

Logstash versions before 7.4.1 and 6.8.4 contain a denial of service flaw in the Logstash Beats input plugin. An unauthenticated user who is able to connect to the port the Logstash beats input could send a specially crafted network packet that would cause Logstash to stop responding.

Improper Input Validation

A sensitive data disclosure flaw was found in the way Logstash versions before 5.6.15 and 6.6.1 logs malformed URLs

CVE-2019-7612 9.8 - Critical - March 25, 2019

A sensitive data disclosure flaw was found in the way Logstash versions before 5.6.15 and 6.6.1 logs malformed URLs. If a malformed URL is specified as part of the Logstash configuration, the credentials for the URL could be inadvertently logged as part of the error message.

Credentials Management Errors

When logging warnings regarding deprecated settings

CVE-2018-3817 6.5 - Medium - March 30, 2018

When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log sensitive information.

Information Disclosure

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Elastic Logstash or by Elastic? Click the Watch button to subscribe.

Elastic
Vendor

subscribe