Beats and Elastic Agent 8.11.3 / 7.17.16 Security Update (ESA-2023-30)

Beats and Elastic Agent Insertion of Sensitive Information into Log File

An issue was discovered by Elastic whereby Beats and Elastic Agent would log a raw event in its own logs at the WARN or ERROR level if ingesting that event to Elasticsearch failed with any 4xx HTTP status code except 409 or 429. Depending on the nature of the event that Beats or Elastic Agent attempted to ingest, this could lead to the insertion of sensitive or private information in the Beats or Elastic Agent logs. Elastic has released 8.11.3 and 7.17.16 that prevents this issue by limiting these types of logs to DEBUG level logging, which is disabled by default.

Affected Versions:

• Beats and Elastic Agent versions on or after 7.0.0 and before 7.17.16
• Beats and Elastic Agent versions on or after 8.0.0 and before 8.11.3

Solutions and Mitigations:

The issue is resolved in version 7.17.16 and 8.11.3.

Reviewing Logs for Sensitive Information

Users can search for instances of these events and determine whether any sensitive information has been leaked in Beats or Elastic Agent logs by searching for the following string

Cannot index event publisher.Event

Workarounds for Users Who Cannot Upgrade

This log line is logged at the WARN level, changing the log level to ERROR will suppress these logs. For Beats and standalone Elastic Agent the log level can be changed in the configuration file, see:

• https://www.elastic.co/guide/en/beats/filebeat/current/configuration-logging.html#leve
• Configure logging for standalone Elastic Agents | Fleet and Elastic Agent Guide [8.11] | Elastic

For Fleet managed Elastic Agents the log level for each agent can be changed in the Fleet UI as described in Monitor Elastic Agents | Fleet and Elastic Agent Guide [8.11] | Elastic. The log level can also be changed using the

Fleet API, for example:

curl 'https://<KIBANA>/api/fleet/agents/<AGENT-ID>/actions' \
    --data-raw '{"action":{"type":"SETTINGS","data":{"log_level":"debug"}}}' \
    -H "kbn-xsrf:kibana" \
    -u <user granted to change Fleet settings, preferably elastic user>

Severity: CVSSv3: 6.8(Medium) - AV:A/AC:L/PR:L/UI:N/S:CC:H/I:N/A:N

CVE IDs

• CVE-2023-49922 (Beats)
• CVE-2023-6687 (Elastic Agent)