rhsa-2014_1171
Vulnerability from csaf_redhat
Published
2014-09-10 05:43
Modified
2024-11-22 08:26
Summary
Red Hat Security Advisory: Fuse ESB Enterprise/Fuse MQ Enterprise 7.1.0 update
Notes
Topic
This advisory contains instructions on how to resolve one security issue
in the Elasticsearch component in Fuse ESB Enterprise and Fuse MQ
Enterprise 7.1.0.
Red Hat Product Security has rated this security issue as having Important
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
Details
Fuse ESB Enterprise is an integration platform based on Apache ServiceMix.
Fuse MQ Enterprise, based on Apache ActiveMQ, is a standards-compliant
messaging system that is tailored for use in mission critical applications.
Fuse ESB Enterprise and Fuse MQ Enterprise include the insight plug-in,
which provides insight into a Fuse Fabric using Elasticsearch to query data
for logs, metrics or historic Camel messages. This plug-in is not enabled
by default, and is provided as a technology preview. If it is enabled by
installing the feature, for example:
JBossFuse:karaf@root> features:install insight-elasticsearch
Then an Elasticsearch server will be started. It was discovered that the
default configuration of Elasticsearch enabled dynamic scripting, allowing
a remote attacker to execute arbitrary MVEL expressions and Java code via
the source parameter passed to _search. (CVE-2014-3120)
All users of Fuse ESB Enterprise and Fuse MQ Enterprise 7.1.0 as provided
from the Red Hat Customer Portal who have enabled Elasticsearch are advised
to follow the instructions provided in the Solution section of this
advisory.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "This advisory contains instructions on how to resolve one security issue\nin the Elasticsearch component in Fuse ESB Enterprise and Fuse MQ\nEnterprise 7.1.0.\n\nRed Hat Product Security has rated this security issue as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Fuse ESB Enterprise is an integration platform based on Apache ServiceMix.\nFuse MQ Enterprise, based on Apache ActiveMQ, is a standards-compliant\nmessaging system that is tailored for use in mission critical applications.\n\nFuse ESB Enterprise and Fuse MQ Enterprise include the insight plug-in,\nwhich provides insight into a Fuse Fabric using Elasticsearch to query data\nfor logs, metrics or historic Camel messages. This plug-in is not enabled\nby default, and is provided as a technology preview. If it is enabled by\ninstalling the feature, for example:\n\nJBossFuse:karaf@root\u003e features:install insight-elasticsearch\n\nThen an Elasticsearch server will be started. It was discovered that the\ndefault configuration of Elasticsearch enabled dynamic scripting, allowing\na remote attacker to execute arbitrary MVEL expressions and Java code via\nthe source parameter passed to _search. (CVE-2014-3120)\n\nAll users of Fuse ESB Enterprise and Fuse MQ Enterprise 7.1.0 as provided\nfrom the Red Hat Customer Portal who have enabled Elasticsearch are advised\nto follow the instructions provided in the Solution section of this\nadvisory.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2014:1171",
"url": "https://access.redhat.com/errata/RHSA-2014:1171"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/solutions/1191453",
"url": "https://access.redhat.com/solutions/1191453"
},
{
"category": "external",
"summary": "https://access.redhat.com/solutions/1189133",
"url": "https://access.redhat.com/solutions/1189133"
},
{
"category": "external",
"summary": "https://access.redhat.com/support/offerings/techpreview",
"url": "https://access.redhat.com/support/offerings/techpreview"
},
{
"category": "external",
"summary": "1124252",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1124252"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_1171.json"
}
],
"title": "Red Hat Security Advisory: Fuse ESB Enterprise/Fuse MQ Enterprise 7.1.0 update",
"tracking": {
"current_release_date": "2024-11-22T08:26:44+00:00",
"generator": {
"date": "2024-11-22T08:26:44+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2014:1171",
"initial_release_date": "2014-09-10T05:43:30+00:00",
"revision_history": [
{
"date": "2014-09-10T05:43:30+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2014-09-10T05:43:30+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T08:26:44+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Fuse ESB Enterprise 7.1.0",
"product": {
"name": "Fuse ESB Enterprise 7.1.0",
"product_id": "Fuse ESB Enterprise 7.1.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:fuse_esb_enterprise:7.1.0"
}
}
},
{
"category": "product_name",
"name": "Fuse Management Console 7.1.0",
"product": {
"name": "Fuse Management Console 7.1.0",
"product_id": "Fuse Management Console 7.1.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:fuse_management_console:7.1.0"
}
}
},
{
"category": "product_name",
"name": "Fuse MQ Enterprise 7.1.0",
"product": {
"name": "Fuse MQ Enterprise 7.1.0",
"product_id": "Fuse MQ Enterprise 7.1.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:fuse_mq_enterprise:7.1.0"
}
}
}
],
"category": "product_family",
"name": "Fuse Enterprise Middleware"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2014-3120",
"cwe": {
"id": "CWE-749",
"name": "Exposed Dangerous Method or Function"
},
"discovery_date": "2014-07-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1124252"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that the default configuration of Elasticsearch enabled dynamic scripting, allowing a remote attacker to execute arbitrary MVEL expressions and Java code via the source parameter passed to _search.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "elasticsearch: remote code execution flaw via dynamic scripting",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "On Subscription Asset Manager (SAM) 1, the elasticsearch service is only bound to the loopback interface by default. To exploit this issue on a SAM 1 system, an attacker must have local access to the system. On Red Hat JBoss Fuse and Red Hat JBoss A-MQ, the elasticsearch service is only started if the insight-elasticsearch feature is installed. This feature is not installed by default.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Fuse ESB Enterprise 7.1.0",
"Fuse MQ Enterprise 7.1.0",
"Fuse Management Console 7.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-3120"
},
{
"category": "external",
"summary": "RHBZ#1124252",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1124252"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-3120",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-3120"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-3120",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3120"
},
{
"category": "external",
"summary": "https://access.redhat.com/solutions/1191453",
"url": "https://access.redhat.com/solutions/1191453"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2013-12-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-09-10T05:43:30+00:00",
"details": "To mitigate this issue, follow the instructions at\nhttps://access.redhat.com/solutions/1191453\n\nFor more information, refer to https://access.redhat.com/solutions/1189133",
"product_ids": [
"Fuse ESB Enterprise 7.1.0",
"Fuse MQ Enterprise 7.1.0",
"Fuse Management Console 7.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1171"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Fuse ESB Enterprise 7.1.0",
"Fuse MQ Enterprise 7.1.0",
"Fuse Management Console 7.1.0"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2022-03-25T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Important"
}
],
"title": "elasticsearch: remote code execution flaw via dynamic scripting"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.