So we found a bug...

Here at Defence Logic we are firm believers in not shying away from issues that affect software that we use or endorse.

So the other day, one of our security consultants (@Nihlander) noticed this in a log file when restarting a Graylog server.

graylog-vuln

These are credentials being stored in plain text form in a the Graylog server log file when Elasticsearch restarts and connects using the password in the configuration. Elasticsearch configuration information is normally only accessible as the 'root' user, therefore any authenticated user that has the following abilities can gain the Elasticsearch passwords.

  1. SSH access to the Graylog server
  2. Ability to restart the Graylog Server
  3. Ability to examine the Graylog server logs

So the impact of this issue, is regarded as 'Low' due to the nature of access required, however it is similar in nature to both the Twitter and Github issues recently.

@Nihlander reported this to Graylog via their contact form. Defence Logic thanks Graylog for taking the report seriously and actioning it as shown here.

Disclosure Timeline
22nd May 2018 - Initial report to vendor
29th May 2018 - Vendor fix realeased
11th June 2018 - Public disclosure