RHSA-2014:1186

Vulnerability from csaf_redhat - Published: 2014-09-11 21:18 - Updated: 2026-01-28 22:58
Summary
Red Hat Security Advisory: katello-configure security update
Severity
Important
Notes
Topic: An updated katello-configure package that fixes one security issue is now available for Red Hat Subscription Asset Manager. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.
Details: The katello-configure package provides the katello-configure script, which configures the Katello installation, and the katello-upgrade script, which handles upgrades between versions. It was discovered that the default configuration of Elasticsearch enabled dynamic scripting, allowing a remote attacker to execute arbitrary MVEL expressions and Java code via the source parameter passed to _search. (CVE-2014-3120) All Subscription Asset Manager users are advised to upgrade to this updated package. The update provides a script that modifies the elasticsearch.yml configuration file to disable dynamic scripting. After updating, run the "katello-configure" command. This will update the elasticsearch.yml configuration file and restart the elasticsearch service.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
CVE-2014-3120

It was discovered that the default configuration of Elasticsearch enabled dynamic scripting, allowing a remote attacker to execute arbitrary MVEL expressions and Java code via the source parameter passed to _search.

6.8 ()
AV:N/AC:M/Au:N/C:P/I:P/A:P
CWE-749 - Exposed Dangerous Method or Function
Vendor Fix Before applying this update, make sure all previously released errata relevant to your system have been applied. After updating, run the "katello-configure" command to apply the needed configuration changes. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 https://access.redhat.com/errata/RHSA-2014:1186
References
To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An updated katello-configure package that fixes one security issue is now\navailable for Red Hat Subscription Asset Manager.\n\nRed Hat Product Security has rated this update as having Important security\nimpact. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available from the CVE link in the\nReferences section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The katello-configure package provides the katello-configure script, which\nconfigures the Katello installation, and the katello-upgrade script, which\nhandles upgrades between versions.\n\nIt was discovered that the default configuration of Elasticsearch enabled\ndynamic scripting, allowing a remote attacker to execute arbitrary MVEL\nexpressions and Java code via the source parameter passed to _search.\n(CVE-2014-3120)\n\nAll Subscription Asset Manager users are advised to upgrade to this updated\npackage. The update provides a script that modifies the elasticsearch.yml\nconfiguration file to disable dynamic scripting. After updating, run the\n\"katello-configure\" command. This will update the elasticsearch.yml\nconfiguration file and restart the elasticsearch service.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2014:1186",
        "url": "https://access.redhat.com/errata/RHSA-2014:1186"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "1124252",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1124252"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_1186.json"
      }
    ],
    "title": "Red Hat Security Advisory: katello-configure security update",
    "tracking": {
      "current_release_date": "2026-01-28T22:58:22+00:00",
      "generator": {
        "date": "2026-01-28T22:58:22+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.16"
        }
      },
      "id": "RHSA-2014:1186",
      "initial_release_date": "2014-09-11T21:18:39+00:00",
      "revision_history": [
        {
          "date": "2014-09-11T21:18:39+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2014-09-11T21:18:39+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-01-28T22:58:22+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Subscription Asset Manager for RHEL 6 Server",
                "product": {
                  "name": "Red Hat Subscription Asset Manager for RHEL 6 Server",
                  "product_id": "6Server-SubscriptionAssetManager14",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:rhel_sam:1.4::el6"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Subscription Asset Manager"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "katello-configure-0:1.4.5.1-3.el6sam.src",
                "product": {
                  "name": "katello-configure-0:1.4.5.1-3.el6sam.src",
                  "product_id": "katello-configure-0:1.4.5.1-3.el6sam.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/katello-configure@1.4.5.1-3.el6sam?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "katello-configure-0:1.4.5.1-3.el6sam.noarch",
                "product": {
                  "name": "katello-configure-0:1.4.5.1-3.el6sam.noarch",
                  "product_id": "katello-configure-0:1.4.5.1-3.el6sam.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/katello-configure@1.4.5.1-3.el6sam?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "katello-configure-0:1.4.5.1-3.el6sam.noarch as a component of Red Hat Subscription Asset Manager for RHEL 6 Server",
          "product_id": "6Server-SubscriptionAssetManager14:katello-configure-0:1.4.5.1-3.el6sam.noarch"
        },
        "product_reference": "katello-configure-0:1.4.5.1-3.el6sam.noarch",
        "relates_to_product_reference": "6Server-SubscriptionAssetManager14"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "katello-configure-0:1.4.5.1-3.el6sam.src as a component of Red Hat Subscription Asset Manager for RHEL 6 Server",
          "product_id": "6Server-SubscriptionAssetManager14:katello-configure-0:1.4.5.1-3.el6sam.src"
        },
        "product_reference": "katello-configure-0:1.4.5.1-3.el6sam.src",
        "relates_to_product_reference": "6Server-SubscriptionAssetManager14"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2014-3120",
      "cwe": {
        "id": "CWE-749",
        "name": "Exposed Dangerous Method or Function"
      },
      "discovery_date": "2014-07-28T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1124252"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was discovered that the default configuration of Elasticsearch enabled dynamic scripting, allowing a remote attacker to execute arbitrary MVEL expressions and Java code via the source parameter passed to _search.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "elasticsearch: remote code execution flaw via dynamic scripting",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "On Subscription Asset Manager (SAM) 1, the elasticsearch service is only bound to the loopback interface by default. To exploit this issue on a SAM 1 system, an attacker must have local access to the system. On Red Hat JBoss Fuse and Red Hat JBoss A-MQ, the elasticsearch service is only started if the insight-elasticsearch feature is installed. This feature is not installed by default.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-SubscriptionAssetManager14:katello-configure-0:1.4.5.1-3.el6sam.noarch",
          "6Server-SubscriptionAssetManager14:katello-configure-0:1.4.5.1-3.el6sam.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-3120"
        },
        {
          "category": "external",
          "summary": "RHBZ#1124252",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1124252"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-3120",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-3120"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-3120",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3120"
        },
        {
          "category": "external",
          "summary": "https://access.redhat.com/solutions/1191453",
          "url": "https://access.redhat.com/solutions/1191453"
        },
        {
          "category": "external",
          "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
          "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
        }
      ],
      "release_date": "2013-12-09T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-09-11T21:18:39+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied. After updating, run the\n\"katello-configure\" command to apply the needed configuration changes.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "6Server-SubscriptionAssetManager14:katello-configure-0:1.4.5.1-3.el6sam.noarch",
            "6Server-SubscriptionAssetManager14:katello-configure-0:1.4.5.1-3.el6sam.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:1186"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "6Server-SubscriptionAssetManager14:katello-configure-0:1.4.5.1-3.el6sam.noarch",
            "6Server-SubscriptionAssetManager14:katello-configure-0:1.4.5.1-3.el6sam.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "exploit_status",
          "date": "2022-03-25T00:00:00+00:00",
          "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
        },
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "elasticsearch: remote code execution flaw via dynamic scripting"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.