CVE-2014-3120
It was discovered that the default configuration of Elasticsearch enabled dynamic scripting, allowing a remote attacker to execute arbitrary MVEL expressions and Java code via the source parameter passed to _search.
Find out more about CVE-2014-3120 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
On Subscription Asset Manager (SAM) 1, the elasticsearch service is only bound to the loopback interface by default. To exploit this issue on a SAM 1 system, an attacker must have local access to the system. On Red Hat JBoss Fuse and Red Hat JBoss A-MQ, the elasticsearch service is only started if the insight-elasticsearch feature is installed. This feature is not installed by default.
CVSS v2 metrics
| Base Score | 6.8 |
|---|---|
| Base Metrics | AV:N/AC:M/Au:N/C:P/I:P/A:P |
| Access Vector | Network |
| Access Complexity | Medium |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | Partial |
| Availability Impact | Partial |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Fuse ESB Enterprise 7.1.0 | RHSA-2014:1171 | 2014-09-10 |
| Red Hat Subscription Asset Manager 1.4 (katello-configure) | RHSA-2014:1186 | 2014-09-11 |
| Fuse MQ Enterprise 7.1.0 | RHSA-2014:1171 | 2014-09-10 |
| Fuse Management Console 7.1.0 | RHSA-2014:1171 | 2014-09-10 |
| Red Hat JBoss A-MQ 6.1 | RHSA-2014:1170 | 2014-09-10 |
| Red Hat JBoss Fuse 6.1 | RHSA-2014:1170 | 2014-09-10 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Subscription Asset Manager 1 | elasticsearch | Affected |
| Red Hat Satellite 6 | elasticsearch | Not affected |