FreeBSD : logstash -- Directory traversal vulnerability in the file output plugin (24bde04f-1a10-11e5-b43d-002590263bf5)
Medium Nessus Plugin ID 84381
SynopsisThe remote FreeBSD host is missing a security-related update.
DescriptionElastic reports :
An attacker could use the File output plugin with dynamic field references in the path option to traverse paths outside of Logstash directory. This technique could also be used to overwrite any files which can be accessed with permissions associated with Logstash user.
This release sandboxes the paths which can be traversed using the configuration. We have also disallowed use of dynamic field references if the path options is pointing to an absolute path.
We have added this vulnerability to our CVE page and are working on filling out the CVE. We would like to thank Colin Coghill for reporting the issue and working with us on the resolution.
SolutionUpdate the affected package.