Bug 1053144 - (CVE-2015-5619) VUL-0: CVE-2015-5619: Logstash 1.4.x before 1.4.5 and 1.5.x before 1.5.4 with Lumberjack output or theLogstash forwarder does not validate SSL/TLS certificates from the Logstashserver, which might allow attackers to obtain sensitive infor
(CVE-2015-5619)
VUL-0: CVE-2015-5619: Logstash 1.4.x before 1.4.5 and 1.5.x before 1.5.4 with...
Status: RESOLVED UPSTREAM
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Normal
: ---
Assigned To: Cloud Bugs
Security Team bot
https://smash.suse.de/issue/190141/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-10 05:24 UTC by Marcus Meissner
Modified: 2017-08-10 05:33 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-08-10 05:24:38 UTC
CVE-2015-5619

Logstash 1.4.x before 1.4.5 and 1.5.x before 1.5.4 with Lumberjack output or the
Logstash forwarder does not validate SSL/TLS certificates from the Logstash
server, which might allow attackers to obtain sensitive information via a
man-in-the-middle attack.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5619
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5619
http://packetstormsecurity.com/files/133269/Logstash-1.5.3-Man-In-The-Middle.html
http://www.securityfocus.com/archive/1/archive/1/536294/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/536858/100/0/threaded
http://www.securityfocus.com/bid/76455
https://www.elastic.co/blog/logstash-1-5-4-and-1-4-5-released
Comment 1 Marcus Meissner 2017-08-10 05:33:54 UTC
we seem to have 2.4.1 in cloud. also the advisory is from 2015.

The CHANGELOG.md has the issue listed in there, so fixed.