Logstash with log.format: json does not obfuscate passwords

[edmocosta]

Logstash information:

Logstash version (e.g. bin/logstash --version): 8.10

Description of the problem including expected versus actual behavior:

When log.format: json is set, Logstash is not obfuscating password configuration values. Instead, the whole object is being printed/serialized, leaking the actual password value on the logs:

Oct 23 12:40:59 tip-logstash-bar-0 logstash /usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-output-elasticsearch-11.16.0-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:376: warning: singleton on non-persistent Java type Java::JavaNet::URI (https://github.com/jruby/jruby/wiki/Persistence)
Oct 23 12:40:59 tip-logstash-bar-0 logstash INFO {"level":"INFO","loggerName":"logstash.licensechecker.licensereader","timeMillis":1698079258736,"thread":"LogStash::Runner","logEvent":{"message":"Elasticsearch pool URLs updated","changes":{"added":[{"var0":{"object":"http://logstash_internal/:<###THE ACTUAL PASSWORD###>@tip-elasticsearch-elasticsearch-client.tip.svc.cluster.local:9200/","singletonClass":{"id":7376,"idTest":{"varargsCollector":false},"generation":103008,"generationObject":103008,"changes":"{:removed=>[], :added=>[http://logstash_internal:xxxxxx@tip-elasticsearch-elasticsearch-client.tip.svc.cluster.local:9200/]}"}}}]}}}

It's probably missing a Jackson serializer, which should serialize passwords as obfuscated string <password> instead of object.

[jsvd]

Thank you for your report.

Elastic's security reporting guidelines are available at https://www.elastic.co/community/security. Per those guidelines, all reports of potential security issues or vulnerabilities should be sent via email to [email protected]

We are unable to discuss potential issues of this nature here. Please send your report to the email address above, where it can be appropriately handled.