[RHSA-2014:1170-01] Important: Red Hat JBoss Fuse/A-MQ 6.1.0 security update

bugzilla at redhat.com bugzilla at redhat.com
Wed Sep 10 05:39:21 UTC 2014

Hash: SHA1

                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Fuse/A-MQ 6.1.0 security update
Advisory ID:       RHSA-2014:1170-01
Product:           Red Hat JBoss Fuse
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-1170.html
Issue date:        2014-09-10
CVE Names:         CVE-2014-3120 

1. Summary:

This advisory contains instructions on how to resolve one security issue
in the Elasticsearch component in Red Hat JBoss Fuse and A-MQ 6.1.0.

Red Hat Product Security has rated this security issue as having Important
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

2. Description:

Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,
flexible, open source enterprise service bus and integration platform. Red
Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant
messaging system that is tailored for use in mission critical applications.

Red Hat JBoss Fuse and A-MQ include the insight plug-in, which provides
insight into a Fuse Fabric using Elasticsearch to query data for logs,
metrics or historic Camel messages. This plug-in is not enabled by default,
and is provided as a technology preview. If it is enabled by installing the
feature, for example:

JBossFuse:karaf at root> features:install insight-elasticsearch

Then an Elasticsearch server will be started. It was discovered that the
default configuration of Elasticsearch enabled dynamic scripting, allowing
a remote attacker to execute arbitrary MVEL expressions and Java code via
the source parameter passed to _search. (CVE-2014-3120)

All users of Red Hat JBoss Fuse and A-MQ 6.1.0 as provided from the Red Hat
Customer Portal who have enabled Elasticsearch are advised to follow the
instructions provided in the Solution section of this advisory.

3. Solution:

To mitigate this issue, follow the instructions at

For more information, refer to https://access.redhat.com/solutions/1189133

4. Bugs fixed (https://bugzilla.redhat.com/):

1124252 - CVE-2014-3120 elasticsearch: remote code execution flaw via dynamic scripting

5. References:


6. Contact:

The Red Hat security contact is <secalert at redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
Version: GnuPG v1


More information about the Jboss-watch-list mailing list