Elastic Agent Insertion of Sensitive Information into Log File (ESA-2024-23)
An issue was discovered whereby Elastic Agent will leak secrets from the agent policy elastic-agent.yml only when the log level is configured to debug. By default the log level is set to info, where no leak occurs.
Affected Versions:
Elastic Agent >= 8.6.0 and < 8.15.0
Solutions and Mitigations:
The issue is resolved in version 8.15.0.
Elastic Cloud
The following mitigations have been performed by Elastic:
- An investigation has revealed that no Elastic Cloud customers are affected.
- As a preventative measure we have deployed an ingest processor to redact the component field before it is logged in our monitoring environment.
Self-Managed
Users who are running Elastic Agent >= 8.6.0 and < 8.15.0 should upgrade to Elastic Agent 8.15.0.
Users should review the logging level applied to their Elastic Agents to determine if they might be affected. If it has been determined that the logging level has been set to debug then the affected logs should be reviewed for any potential sensitive data by filtering for log.level: debug AND components: * within Elasticsearch, and if deemed necessary, follow up actions should include;
- Purging sensitive data from logs
- Rotating any potentially exposed credentials
For Users that Cannot Upgrade
Users running Elastic Agent >= 8.6.0 and < 8.15.0 should avoid setting the logging level to debug.
If the logging level for Elastic Agent >= 8.6.0 and < 8.15.0 has been set to debug, users should follow the guidance under “Self-Managed” above. Additionally, users can create an ingest processor to redact the component field before it’s logged to the monitoring environment. Example below
{
"description": "Ingest processor for esa-2024-23",
"processors": [
{
"remove": {
"if" : "ctx.log?.level == 'debug'",
"field": "components"
}
}
]
}
Severity: CVSSv4.0: 6.5 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H
CVE ID: CVE-2024-37283