Hi all, we would like to announce a security vulnerability we discovered in our testing. Logstash 2.3.4 has been released with a patch to fix this.
Issue
Prior to version 2.3.4, Elasticsearch Output plugin would log to file HTTP authorization headers which could contain sensitive information.
Remediation
Users who secure communication from Logstash to Elasticsearch via Basic Authorization using Elastic Shield or other systems are advised to upgrade to Logstash 2.3.4 version.
We have assigned Elastic Security Advisory (ESA) number ESA-2016-02 for this and our security page is updated with details.