Vulnerability CVE-2018-3817

Vulnerability Name:

CVE-2018-3817 (CCN-141115)

Assigned:

2018-01-17

Published:

2018-01-17

Updated:

2019-10-09

Summary:

When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log sensitive information.

CVSS v3 Severity:

6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-200

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2018-3817

Source: CCN
Type: Elastic Web site
Elastic Stack 6.1.2 and 5.6.6 security update

Source: CONFIRM
Type: Vendor Advisory
https://discuss.elastic.co/t/elastic-stack-6-1-2-and-5-6-6-security-update/115763

Source: XF
Type: UNKNOWN
elastic-cve20183817-info-disc(141115)

Vulnerable Configuration:

Configuration 1:

cpe:/a:elastic:logstash:*:*:*:*:*:*:*:* (Version < 5.6.6)

OR cpe:/a:elastic:logstash:*:*:*:*:*:*:*:* (Version >= 6.0.0 and < 6.1.2)

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20183817	V	CVE-2018-3817	2022-05-22
oval:org.opensuse.security:def:59840	P	Security update for chrony (Moderate)	2021-12-22
oval:org.opensuse.security:def:60433	P	Security update for MozillaFirefox (Important)	2021-12-12
oval:org.opensuse.security:def:60390	P	Security update for util-linux (Moderate)	2021-10-20
oval:org.opensuse.security:def:58014	P	Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)	2021-09-23
oval:org.opensuse.security:def:59540	P	Security update for transfig (Moderate)	2021-09-16
oval:org.opensuse.security:def:60351	P	Security update for xen (Important)	2021-09-02
oval:org.opensuse.security:def:57990	P	Security update for openssl (Important)	2021-08-24
oval:org.opensuse.security:def:59783	P	Security update for cpio (Important)	2021-08-23
oval:org.opensuse.security:def:57040	P	Security update for arpwatch (Important)	2021-06-28
oval:org.opensuse.security:def:57940	P	Security update for caribou (Important)	2021-06-10
oval:org.opensuse.security:def:60255	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:57909	P	Security update for java-1_7_0-openjdk (Moderate)	2021-04-29
oval:org.opensuse.security:def:58929	P	Security update for opensc (Moderate)	2021-03-31
oval:org.opensuse.security:def:58928	P	Security update for zabbix (Moderate)	2021-03-30
oval:org.opensuse.security:def:60471	P	Security update for openssl-1_0_0 (Moderate)	2021-03-08
oval:org.opensuse.security:def:59600	P	Security update for openldap2 (Important)	2021-03-03
oval:org.opensuse.security:def:57146	P	Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)	2021-02-10
oval:org.opensuse.security:def:59901	P	Security update for the Linux Kernel (Live Patch 23 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:59359	P	Security update for python3 (Moderate)	2020-12-01
oval:org.opensuse.security:def:56489	P	Security update for xorg-x11-server (Moderate)	2020-12-01
oval:org.opensuse.security:def:60727	P	Security update for bind (Important)	2020-12-01
oval:org.opensuse.security:def:57597	P	Security update for kvm (Important)	2020-12-01
oval:org.opensuse.security:def:59107	P	Security update for the Linux Kernel (Live Patch 30 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:56467	P	Security update for MozillaFirefox, mozilla-nss (Important)	2020-12-01
oval:org.opensuse.security:def:60689	P	Security update for apache2 (Important)	2020-12-01
oval:org.opensuse.security:def:57312	P	Security update for CUPS	2020-12-01
oval:org.opensuse.security:def:60588	P	Security update for grafana, kafka, logstash, openstack-monasca-installer (Moderate)	2020-12-01
oval:org.opensuse.security:def:58951	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:56466	P	Security update for krb5 (Moderate)	2020-12-01
oval:org.opensuse.security:def:60605	P	Security update for ucode-intel (Important)	2020-12-01
oval:org.opensuse.security:def:60139	P	Security update for java-1_7_1-ibm (Moderate)	2020-12-01
oval:org.opensuse.security:def:59347	P	Security update for ucode-intel (Moderate)	2020-12-01
oval:org.opensuse.security:def:60510	P	perl-YAML-LibYAML on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:60508	P	perl-Tk on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:60847	P	Security update for grafana, kafka, logstash, openstack-monasca-installer (Moderate)	2020-12-01
oval:org.opensuse.security:def:59189	P	Security update for the Linux Kernel (Live Patch 27 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:60560	P	unzip on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:57871	P	libxcb-dri2-0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:59655	P	Security update for MozillaFirefox (Moderate)	2020-12-01
oval:org.opensuse.security:def:56867	P	Security update for qemu (Important)	2020-12-01
oval:org.opensuse.security:def:60768	P	Security update for samba (Important)	2020-12-01
oval:org.opensuse.security:def:59167	P	Security update for kernel-firmware (Important)	2020-12-01
oval:org.opensuse.security:def:57797	P	libgnomesu on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:60090	P	Security update for java-1_8_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:56629	P	Security update for rpm (Moderate)	2020-12-01
oval:org.opensuse.security:def:60818	P	Security update for mariadb (Moderate)	2020-12-01
oval:org.opensuse.security:def:59166	P	Security update for texlive (Important)	2020-12-01
oval:org.opensuse.security:def:57705	P	dstat on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:80649	P	Security update for grafana, kafka, logstash and monasca-installer (Moderate)	2018-08-28
oval:org.opensuse.security:def:83854	P	Security update for grafana, kafka, logstash, openstack-monasca-installer (Moderate)	2018-08-14
oval:org.opensuse.security:def:84300	P	Security update for grafana, kafka, logstash, openstack-monasca-installer (Moderate)	2018-08-14

BACK