Beats and Elastic Agent 8.11.3 / 7.17.16 Security Update (ESA-2023-30)

ismisepaul · December 12, 2023, 5:00pm

Beats and Elastic Agent Insertion of Sensitive Information into Log File

An issue was discovered by Elastic whereby Beats and Elastic Agent would log a raw event in its own logs at the WARN or ERROR level if ingesting that event to Elasticsearch failed with any 4xx HTTP status code except 409 or 429. Depending on the nature of the event that Beats or Elastic Agent attempted to ingest, this could lead to the insertion of sensitive or private information in the Beats or Elastic Agent logs. Elastic has released 8.11.3 and 7.17.16 that prevents this issue by limiting these types of logs to DEBUG level logging, which is disabled by default.

Affected Versions:

Beats and Elastic Agent versions on or after 7.0.0 and before 7.17.16
Beats and Elastic Agent versions on or after 8.0.0 and before 8.11.3

Solutions and Mitigations:

The issue is resolved in version 7.17.16 and 8.11.3.

Reviewing Logs for Sensitive Information

Users can search for instances of these events and determine whether any sensitive information has been leaked in Beats or Elastic Agent logs by searching for the following string

Cannot index event publisher.Event

Workarounds for Users Who Cannot Upgrade

This log line is logged at the WARN level, changing the log level to ERROR will suppress these logs. For Beats and standalone Elastic Agent the log level can be changed in the configuration file, see:

For Fleet managed Elastic Agents the log level for each agent can be changed in the Fleet UI as described in Monitor Elastic Agents | Fleet and Elastic Agent Guide [8.11] | Elastic. The log level can also be changed using the

Fleet API, for example:

curl 'https://<KIBANA>/api/fleet/agents/<AGENT-ID>/actions' \
    --data-raw '{"action":{"type":"SETTINGS","data":{"log_level":"debug"}}}' \
    -H "kbn-xsrf:kibana" \
    -u <user granted to change Fleet settings, preferably elastic user>

Severity: CVSSv3: 6.8(Medium) - AV:A/AC:L/PR:L/UI:N/S:CC:H/I:N/A:N

CVE IDs

CVE-2023-49922 (Beats)
CVE-2023-6687 (Elastic Agent)

Topic		Replies	Views
Change log level for beats deployed by fleet managed elastic-agent Elasticsearch fleet	3	526	August 21, 2023
Change Log Levels for Standalone Elastic Agent Elastic Agent	1	148	February 27, 2023
Elastic Agent 8.15.0 Security Update (ESA-2024-23) Security Announcements	0	1031	August 8, 2024
Filebeat Components ignores logging level Elastic Agent filebeat	1	174	February 14, 2024
Elastic Agent with Custom Logs capturing mapping errors in event logs Elastic Agent	6	34	September 30, 2024