Possible false positive on logstash-event ruby gem for CVE-2014-4326 GHSA-8qhq-rq4j-8prj

[aristocrates]

In 189d576 an update to GHSA-8qhq-rq4j-8prj was published including both logstash and logstash-event gem.

GHSA-8qhq-rq4j-8prj claims that logstash-event gem has affected versions: >= 1.0.14, < 1.4.2, patched versions: 1.4.2

But the last version of logstash-event gem published was 1.2.02 in 2013 https://rubygems.org/gems/logstash-event/

The advisory details specify that the vulnerability is in the files zabbix.rb and nagios_nsca.rb.

Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/.

However, logstash-event gem does not include those files. Per https://github.com/elastic/logstash/blob/29de30745138ddcb69a2b45b8ebf3e5a1c39b58a/logstash-event.gemspec logstash-event gem (version 1.2.02) includes only the following files:

• lib/logstash-event.rb
• lib/logstash/event.rb
• lib/logstash/namespace.rb
• lib/logstash/util/fieldreference.rb
• lib/logstash/util.rb
• spec/event.rb
• LICENSE

Was the inclusion of logstash-event gem in this advisory a mistake?

[JonathanLEvans]

Hi @aristocrates, thank you for the information. logstash-event has been removed from the advisory.