Security Concerns - Logstash echoes credentials to stdout

jameslamb · March 19, 2018, 2:44am

Hello,

I was going to open an issue on GitHub, but the issue template directed me here.

I'm very new to Logstash, but noticed something concerning tonight and wanted to ask if the community is aware of this. On failed attempts to hit S3, Logstash is echoing my AWS credentials to the output stream.

I am running a simple pipeline to import data from AWS S3 and move it into an Elasticsearch cluster. I have an input block similar to this:

input {
    s3 {
        access_key_id => "${S3_KEY}"
        secret_access_key => "${S3_SECRET}"
        region => "us-east-1"
        bucket => "${BUCKET_NAME}"
        interval => 2
        codec => "json"
      }
}

I am using environment variables to configure this pipeline. While running, I hit an error because some of the files in that bucket have different security settings than I'd expected. This error is 100% my fault and not a bug I am reporting, but I was surprised to see a message like this in the Logstash output:

[2018-03-18T21:14:04,592][ERROR][logstash.pipeline        ] A plugin had an unrecoverable error. Will restart this plugin.
  Pipeline_id:main
  Plugin: <LogStash::Inputs::S3 access_key_id=>"MY_ACCESS_KEY", secret_access_key=>"MY_SECRET_KEY", region=>"us-east-1", bucket=>"BUCKET_NAME", interval=>2, codec=><LogStash::Codecs::JSON id=>"json_31c4beff-0d8c-4cbe-b7b6-efb3aaa2b927", enable_metric=>true, charset=>"UTF-8">, id=>"c763ef7921e0bae8eb2e63f686735aa3846e7d644f317ee589d7123646c3e831", enable_metric=>true, delete=>false, temporary_directory=>"/var/folders/ww/6m7gkcds5sn_5b3bgl6_d3xcpm028j/T/logstash">
  Error: Access Denied
  Exception: Aws::S3::Errors::AccessDenied

In the output above, I've manually added the literal text MY_ACCESS_KEY, MY_SECRET_KEY, and BUCKET_NAME so I am not disclosing too much in this post. However...my keys were printed in the actual output!

Printing literal credentials to stdout is a security risk. Can someone explain to me why the pipeline is evaluated before being printed (instead of printing the literal text in the Logstash config)? I tried looking through the code but couldn't quite understand how the string interpolation there is working.

Thanks very much!

-James

jakelandis · March 23, 2018, 2:16pm

@jameslamb- this has been fixed and is included as the default for Logstash as of 6.2.3.

The plugins have the ability to update independently of the Logstash version, and if you can't upgrade Logstash to the latest version, you can update just the plugin:

bin/logstash-plugin update logstash-input-s3

(note the fix also applies to any aws based plugins)

Thank you for reporting this, however for future security related issues please refer to https://www.elastic.co/community/security

jameslamb · March 23, 2018, 7:28pm

Thanks @jakelandis! Can you point me to the PR where it was implemented? I'm just curious to see how it was handled.

You should also consider putting that special security information in the re-direct text that pops up when people try to open issues on GitHub. I only came here following the advice on https://github.com/elastic/logstash/issues/new

jakelandis · March 23, 2018, 7:42pm

@jameslamb - https://github.com/logstash-plugins/logstash-mixin-aws/commit/d42c7597b7b6bc192d55a7a787180112a42535cd

The mixin-aws is used across all of the aws based plugins.

jakelandis · March 23, 2018, 7:56pm

Thanks for the suggestion for the security information. This has also been updated: https://github.com/elastic/logstash/issues/new

system · April 20, 2018, 7:56pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.