- Issued:
- 2014-09-10
- Updated:
- 2014-09-10
RHSA-2014:1170 - Security Advisory
Synopsis
Important: Red Hat JBoss Fuse/A-MQ 6.1.0 security update
Type/Severity
Security Advisory: Important
Topic
This advisory contains instructions on how to resolve one security issue
in the Elasticsearch component in Red Hat JBoss Fuse and A-MQ 6.1.0.
Red Hat Product Security has rated this security issue as having Important
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
Description
Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,
flexible, open source enterprise service bus and integration platform. Red
Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant
messaging system that is tailored for use in mission critical applications.
Red Hat JBoss Fuse and A-MQ include the insight plug-in, which provides
insight into a Fuse Fabric using Elasticsearch to query data for logs,
metrics or historic Camel messages. This plug-in is not enabled by default,
and is provided as a technology preview. If it is enabled by installing the
feature, for example:
JBossFuse:karaf@root> features:install insight-elasticsearch
Then an Elasticsearch server will be started. It was discovered that the
default configuration of Elasticsearch enabled dynamic scripting, allowing
a remote attacker to execute arbitrary MVEL expressions and Java code via
the source parameter passed to _search. (CVE-2014-3120)
All users of Red Hat JBoss Fuse and A-MQ 6.1.0 as provided from the Red Hat
Customer Portal who have enabled Elasticsearch are advised to follow the
instructions provided in the Solution section of this advisory.
Solution
To mitigate this issue, follow the instructions at
https://access.redhat.com/solutions/1191453
For more information, refer to https://access.redhat.com/solutions/1189133
Affected Products
- Red Hat Fuse 1 x86_64
Fixes
- BZ - 1124252 - CVE-2014-3120 elasticsearch: remote code execution flaw via dynamic scripting
CVEs
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
