Here at Defence Logic we are firm believers in not shying away from issues that affect software that we use or endorse.
So the other day, one of our security consultants (@Nihlander) noticed this in a log file when restarting a Graylog server.
These are credentials being stored in plain text form in a the Graylog server log file when Elasticsearch restarts and connects using the password in the configuration. Elasticsearch configuration information is normally only accessible as the 'root' user, therefore any authenticated user that has the following abilities can gain the Elasticsearch passwords.
- SSH access to the Graylog server
- Ability to restart the Graylog Server
- Ability to examine the Graylog server logs
@Nihlander reported this to Graylog via their contact form. Defence Logic thanks Graylog for taking the report seriously and actioning it as shown here.
22nd May 2018 - Initial report to vendor
29th May 2018 - Vendor fix realeased
11th June 2018 - Public disclosure