How to mitigate CVE-2014-3120 on Fuse and A-MQ products

Solution In Progress - Updated -

Environment

  • Red Hat JBoss Fuse
    • 6.x
  • Fuse ESB Enterprise
    • 7.x
  • Red Hat JBoss A-MQ
    • 6.x
  • Fuse MQ Enterprise
    • 7.x

Issue

Red Hat JBoss Fuse, Red Hat JBoss A-MQ, Fuse ESB Enterprise, and Fuse MQ Enterprise include the insight plugin. This plugin provides insight into a Fuse Fabric using Elasticsearch to query data for logs, metrics or historic Camel messages. This plugin is not enabled by default, and is provided as a technology preview. If it is enabled, by installing the feature e.g.:

JBossFuse:karaf@root> features:install insight-elasticsearch

Then an Elasticsearch server will be started.

It was discovered that default configuration in Elasticsearch enabled dynamic scripting, allowing a remote attacker to execute arbitrary MVEL expressions and Java code via the source parameter passed to _search. (CVE-2014-3120)

All users of Fuse and A-MQ products who have enabled Elasticsearch are advised to follow the instructions provided in the Resolution section of this solution.

Resolution

If a fabric has not been created yet:

  • Edit "fabric/import/fabric/configs/versions/1.0/profiles/insight-core/org.fusesource.insight.elasticsearch-default.properties"
    Add a line "script.disable_dynamic = true"

  • Edit "fabric/import/fabric/configs/versions/1.0/profiles/insight-core/org.fusesource.insight.elasticsearch-default.properties#openshift"
    Add a line "script.disable_dynamic = true"

If a fabric has already been created:

  • Go to the shell console and execute the following command:
      profile-edit --pid org.fusesource.insight.elasticsearch-default/script.disable_dynamic=true insight-core

For non-fabric containers:

  • On Red Hat JBoss Fuse 6 and Red Hat JBoss A-MQ 6, edit "system/io/fabric8/fabric8-karaf/1.0.0.redhat-379/fabric8-karaf-1.0.0.redhat-379-features.xml"
    Add a line "script.disable_dynamic = true" after the line "discovery.zen.ping.unicast.hosts=localhost"
  • On Fuse ESB Enterprise 7 and Fuse MQ Enterprise 7, edit "system/org/fusesource/fabric/fuse-fabric/7.1.0.fuse-047/fuse-fabric-7.1.0.fuse-047-features.xml"
    Add a line "script.disable_dynamic = true" after the line "discovery.zen.ping.unicast.hosts=localhost"

  • Go to the shell console and execute the following script

      caRef = ($.context getServiceReference org.osgi.service.cm.ConfigurationAdmin
      ca = ($.context getService $caRef)
      cfgs = $ca listConfigurations '(service.pid=org.fusesource.insight.elasticsearch*)'
      each $cfgs { props = $it properties ; $props  put "script.disable_dynamic" "true" ; $it update $props }

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.