製品・ソフトウェアに関する情報

JVN脆弱性詳細

Gentoo app-admin/logstash-bin パッケージにおける認可・権限・アクセス制御に関する脆弱性

Title	Gentoo app-admin/logstash-bin パッケージにおける認可・権限・アクセス制御に関する脆弱性
Summary	Gentoo app-admin/logstash-bin パッケージには、認可・権限・アクセス制御に関する脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Sept. 25, 2017, midnight
Registration Date	Oct. 20, 2017, 6:04 p.m.
Last Update	Oct. 20, 2017, 6:04 p.m.

Affected System

Elasticsearch

Logstash

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2017-14730	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14730
National Vulnerability Database (NVD)
2	CVE-2017-14730	https://nvd.nist.gov/vuln/detail/CVE-2017-14730

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-264	https://jvndb.jvn.jp/ja/cwe/CWE-264.html

ベンダー情報

No	Name	URL
gentoo
1	app-admin/logstash-bin: bump to 5.5.3/5.6.1	https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bbd6cb398c1740c68e9b1b78340c887c58c1fbda
2	app-admin/logstash-bin: drop old	https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=18f97c851c209f291b31ae7a902719f1c17c79fa
Gentoo's Bugzilla
3	Bug 628558	https://bugs.gentoo.org/628558
GitHub
4	app-admin/logstash-bin: bump to 5.5.3/5.6.1, drop old #5665	https://github.com/gentoo/gentoo/pull/5665

Change Log

No	Changed Details	Date of change
0	[2017年10月20日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2017-14730

Summary	The init script in the Gentoo app-admin/logstash-bin package before 5.5.3 and 5.6.x before 5.6.1 has "chown -R" calls for user-writable directory trees, which allows local users to gain privileges by leveraging access to a $LS_USER account for creation of a hard link.
Publication Date	Sept. 26, 2017, 2:29 a.m.
Registration Date	Jan. 26, 2021, 1:16 p.m.
Last Update	Nov. 21, 2024, 12:13 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:elasticsearch:logstash:5.0.0:::::::*
cpe:2.3:a:elasticsearch:logstash:5.0.1:::::::*
cpe:2.3:a:elasticsearch:logstash:5.0.2:::::::*
cpe:2.3:a:elasticsearch:logstash:5.1.1:::::::*
cpe:2.3:a:elasticsearch:logstash:5.1.2:::::::*
cpe:2.3:a:elasticsearch:logstash:5.2.0:::::::*
cpe:2.3:a:elasticsearch:logstash:5.2.1:::::::*
cpe:2.3:a:elasticsearch:logstash:5.3.0:::::::*
cpe:2.3:a:elasticsearch:logstash:5.3.1:::::::*
cpe:2.3:a:elasticsearch:logstash:5.3.2:::::::*
cpe:2.3:a:elasticsearch:logstash:5.4.1:::::::*
cpe:2.3:a:elasticsearch:logstash:5.4.2:::::::*
cpe:2.3:a:elasticsearch:logstash:5.4.3:::::::*
cpe:2.3:a:elasticsearch:logstash:5.5.0:::::::*
cpe:2.3:a:elasticsearch:logstash:5.5.1:::::::*
cpe:2.3:a:elasticsearch:logstash:5.5.2:::::::*
cpe:2.3:a:elasticsearch:logstash:5.6.0:::::::*
execution environment
1	cpe:2.3:o:gentoo:linux:-:::::::*

Related information, measures and tools

No	URL	タグ
1	https://bugs.gentoo.org/628558	Third Party Advisory
2	https://bugs.gentoo.org/628558	Third Party Advisory
3	https://github.com/gentoo/gentoo/pull/5665	Third Party Advisory
4	https://github.com/gentoo/gentoo/pull/5665	Third Party Advisory
5	https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=18f97c851c209f291b31ae7a902719f1c17c79fa	Third Party Advisory
6	https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=18f97c851c209f291b31ae7a902719f1c17c79fa	Third Party Advisory
7	https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bbd6cb398c1740c68e9b1b78340c887c58c1fbda	Third Party Advisory
8	https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bbd6cb398c1740c68e9b1b78340c887c58c1fbda	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-732	重要なリソースに対する不適切なパーミッションの割り当て	https://cwe.mitre.org/data/definitions/732.html

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:elasticsearch:logstash:5.0.0:::::::*
cpe:2.3:a:elasticsearch:logstash:5.0.1:::::::*
cpe:2.3:a:elasticsearch:logstash:5.0.2:::::::*
cpe:2.3:a:elasticsearch:logstash:5.1.1:::::::*
cpe:2.3:a:elasticsearch:logstash:5.1.2:::::::*
cpe:2.3:a:elasticsearch:logstash:5.2.0:::::::*
cpe:2.3:a:elasticsearch:logstash:5.2.1:::::::*
cpe:2.3:a:elasticsearch:logstash:5.3.0:::::::*
cpe:2.3:a:elasticsearch:logstash:5.3.1:::::::*
cpe:2.3:a:elasticsearch:logstash:5.3.2:::::::*
cpe:2.3:a:elasticsearch:logstash:5.4.1:::::::*
cpe:2.3:a:elasticsearch:logstash:5.4.2:::::::*
cpe:2.3:a:elasticsearch:logstash:5.4.3:::::::*
cpe:2.3:a:elasticsearch:logstash:5.5.0:::::::*
cpe:2.3:a:elasticsearch:logstash:5.5.1:::::::*
cpe:2.3:a:elasticsearch:logstash:5.5.2:::::::*
cpe:2.3:a:elasticsearch:logstash:5.6.0:::::::*
execution environment
1	cpe:2.3:o:gentoo:linux:-:::::::*