rhsa-2014_1170
Vulnerability from csaf_redhat
Published
2014-09-10 05:33
Modified
2024-11-22 08:26
Summary
Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.1.0 security update

Notes

Topic
This advisory contains instructions on how to resolve one security issue in the Elasticsearch component in Red Hat JBoss Fuse and A-MQ 6.1.0. Red Hat Product Security has rated this security issue as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.
Details
Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant messaging system that is tailored for use in mission critical applications. Red Hat JBoss Fuse and A-MQ include the insight plug-in, which provides insight into a Fuse Fabric using Elasticsearch to query data for logs, metrics or historic Camel messages. This plug-in is not enabled by default, and is provided as a technology preview. If it is enabled by installing the feature, for example: JBossFuse:karaf@root> features:install insight-elasticsearch Then an Elasticsearch server will be started. It was discovered that the default configuration of Elasticsearch enabled dynamic scripting, allowing a remote attacker to execute arbitrary MVEL expressions and Java code via the source parameter passed to _search. (CVE-2014-3120) All users of Red Hat JBoss Fuse and A-MQ 6.1.0 as provided from the Red Hat Customer Portal who have enabled Elasticsearch are advised to follow the instructions provided in the Solution section of this advisory.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.


To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "This advisory contains instructions on how to resolve one security issue\nin the Elasticsearch component in Red Hat JBoss Fuse and A-MQ 6.1.0.\n\nRed Hat Product Security has rated this security issue as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,\nflexible, open source enterprise service bus and integration platform. Red\nHat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant\nmessaging system that is tailored for use in mission critical applications.\n\nRed Hat JBoss Fuse and A-MQ include the insight plug-in, which provides\ninsight into a Fuse Fabric using Elasticsearch to query data for logs,\nmetrics or historic Camel messages. This plug-in is not enabled by default,\nand is provided as a technology preview. If it is enabled by installing the\nfeature, for example:\n\nJBossFuse:karaf@root\u003e features:install insight-elasticsearch\n\nThen an Elasticsearch server will be started. It was discovered that the\ndefault configuration of Elasticsearch enabled dynamic scripting, allowing\na remote attacker to execute arbitrary MVEL expressions and Java code via\nthe source parameter passed to _search. (CVE-2014-3120)\n\nAll users of Red Hat JBoss Fuse and A-MQ 6.1.0 as provided from the Red Hat\nCustomer Portal who have enabled Elasticsearch are advised to follow the\ninstructions provided in the Solution section of this advisory.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2014:1170",
        "url": "https://access.redhat.com/errata/RHSA-2014:1170"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/solutions/1191453",
        "url": "https://access.redhat.com/solutions/1191453"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/solutions/1189133",
        "url": "https://access.redhat.com/solutions/1189133"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/support/offerings/techpreview",
        "url": "https://access.redhat.com/support/offerings/techpreview"
      },
      {
        "category": "external",
        "summary": "1124252",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1124252"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_1170.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.1.0 security update",
    "tracking": {
      "current_release_date": "2024-11-22T08:26:40+00:00",
      "generator": {
        "date": "2024-11-22T08:26:40+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2014:1170",
      "initial_release_date": "2014-09-10T05:33:20+00:00",
      "revision_history": [
        {
          "date": "2014-09-10T05:33:20+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2019-02-20T12:33:31+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T08:26:40+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss A-MQ 6.1",
                "product": {
                  "name": "Red Hat JBoss A-MQ 6.1",
                  "product_id": "Red Hat JBoss A-MQ 6.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_amq:6.1.0"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat JBoss Fuse 6.1",
                "product": {
                  "name": "Red Hat JBoss Fuse 6.1",
                  "product_id": "Red Hat JBoss Fuse 6.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_fuse:6.1.0"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Fuse"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2014-3120",
      "cwe": {
        "id": "CWE-749",
        "name": "Exposed Dangerous Method or Function"
      },
      "discovery_date": "2014-07-28T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1124252"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was discovered that the default configuration of Elasticsearch enabled dynamic scripting, allowing a remote attacker to execute arbitrary MVEL expressions and Java code via the source parameter passed to _search.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "elasticsearch: remote code execution flaw via dynamic scripting",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "On Subscription Asset Manager (SAM) 1, the elasticsearch service is only bound to the loopback interface by default. To exploit this issue on a SAM 1 system, an attacker must have local access to the system. On Red Hat JBoss Fuse and Red Hat JBoss A-MQ, the elasticsearch service is only started if the insight-elasticsearch feature is installed. This feature is not installed by default.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss A-MQ 6.1",
          "Red Hat JBoss Fuse 6.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-3120"
        },
        {
          "category": "external",
          "summary": "RHBZ#1124252",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1124252"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-3120",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-3120"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-3120",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3120"
        },
        {
          "category": "external",
          "summary": "https://access.redhat.com/solutions/1191453",
          "url": "https://access.redhat.com/solutions/1191453"
        },
        {
          "category": "external",
          "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
          "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
        }
      ],
      "release_date": "2013-12-09T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-09-10T05:33:20+00:00",
          "details": "To mitigate this issue, follow the instructions at\nhttps://access.redhat.com/solutions/1191453\n\nFor more information, refer to https://access.redhat.com/solutions/1189133",
          "product_ids": [
            "Red Hat JBoss A-MQ 6.1",
            "Red Hat JBoss Fuse 6.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:1170"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss A-MQ 6.1",
            "Red Hat JBoss Fuse 6.1"
          ]
        }
      ],
      "threats": [
        {
          "category": "exploit_status",
          "date": "2022-03-25T00:00:00+00:00",
          "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
        },
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "elasticsearch: remote code execution flaw via dynamic scripting"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.