CVE-2023-49922: 
vulnerability analysis and mitigation

An issue was discovered by Elastic in Beats and Elastic Agent where the software would log raw events at WARN or ERROR level if ingesting events to Elasticsearch failed with any 4xx HTTP status code (except 409 or 429). The vulnerability was identified as CVE-2023-49922, affecting Beats and Elastic Agent versions from 7.0.0 to 7.17.16 and 8.0.0 to 8.11.3. The issue was disclosed on December 12, 2023, and has been resolved in versions 8.11.3 and 7.17.16 (Elastic Advisory).

The vulnerability is classified as CWE-532 (Insertion of Sensitive Information into Log File). The issue has a CVSS v3.1 base score of 6.5 (Medium) according to NVD with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, while Elastic assessed it at 6.8 (Medium) with vector CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N. The vulnerability occurs when the software logs raw events at elevated log levels during failed ingestion attempts (NVD).

The vulnerability could lead to the exposure of sensitive or private information in the Beats or Elastic Agent logs, as raw events that fail to ingest are logged at WARN or ERROR levels. This could potentially expose confidential data to unauthorized users who have access to the log files (Elastic Advisory).

The issue has been fixed in versions 7.17.16 and 8.11.3 by limiting these types of logs to DEBUG level logging, which is disabled by default. For users who cannot upgrade, a workaround is available by changing the log level to ERROR to suppress these logs. This can be done through the configuration file for standalone installations or through the Fleet UI/API for managed agents (Elastic Advisory).