Logstash 8.19.10, 9.1.10, 9.2.4 Security Update (ESA-2026-06)

Sensitive Information in Resource Not Removed Before Reuse in Logstash Leading to Access to Sensitive Information Dependency on Vulnerable Third-Party Component CWE-1395 exists in org.lz4:lz4-java decompression library used by logstash-integration-kafka plugin in Logstash that could allow an...

GHSA-28GG-8QQJ-FHH5 OpenSearch Data Prepper uses deprecated SSL protocol identifier

Impact The GeoIP processor and Kafka source and buffer were using the deprecated "SSL" protocol identifier when creating SSL contexts, potentially allowing the use of insecure SSL protocols instead of modern TLS versions. Multiple Data Prepper plugins used SSLContext.getInstance"SSL" which could...

OpenSearch Data Prepper uses deprecated SSL protocol identifier

Impact The GeoIP processor and Kafka source and buffer were using the deprecated "SSL" protocol identifier when creating SSL contexts, potentially allowing the use of insecure SSL protocols instead of modern TLS versions. Multiple Data Prepper plugins used SSLContext.getInstance"SSL" which could...

Insertion of Sensitive Information into Log File

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File. An attacker with access to the log files can gain access to Apache Kafka credentials by accessing these application logs. Remediation Upgrade org.apache.pulsar:pulsar-io-kafka to version...