[RHSA-2014:1170-01] Important: Red Hat JBoss Fuse/A-MQ 6.1.0 security update
bugzilla at redhat.com
bugzilla at redhat.com
Wed Sep 10 05:39:21 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat JBoss Fuse/A-MQ 6.1.0 security update
Advisory ID: RHSA-2014:1170-01
Product: Red Hat JBoss Fuse
Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1170.html
Issue date: 2014-09-10
CVE Names: CVE-2014-3120
=====================================================================
1. Summary:
This advisory contains instructions on how to resolve one security issue
in the Elasticsearch component in Red Hat JBoss Fuse and A-MQ 6.1.0.
Red Hat Product Security has rated this security issue as having Important
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
2. Description:
Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,
flexible, open source enterprise service bus and integration platform. Red
Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant
messaging system that is tailored for use in mission critical applications.
Red Hat JBoss Fuse and A-MQ include the insight plug-in, which provides
insight into a Fuse Fabric using Elasticsearch to query data for logs,
metrics or historic Camel messages. This plug-in is not enabled by default,
and is provided as a technology preview. If it is enabled by installing the
feature, for example:
JBossFuse:karaf at root> features:install insight-elasticsearch
Then an Elasticsearch server will be started. It was discovered that the
default configuration of Elasticsearch enabled dynamic scripting, allowing
a remote attacker to execute arbitrary MVEL expressions and Java code via
the source parameter passed to _search. (CVE-2014-3120)
All users of Red Hat JBoss Fuse and A-MQ 6.1.0 as provided from the Red Hat
Customer Portal who have enabled Elasticsearch are advised to follow the
instructions provided in the Solution section of this advisory.
3. Solution:
To mitigate this issue, follow the instructions at
https://access.redhat.com/solutions/1191453
For more information, refer to https://access.redhat.com/solutions/1189133
4. Bugs fixed (https://bugzilla.redhat.com/):
1124252 - CVE-2014-3120 elasticsearch: remote code execution flaw via dynamic scripting
5. References:
https://www.redhat.com/security/data/cve/CVE-2014-3120.html
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/solutions/1191453
https://access.redhat.com/solutions/1189133
https://access.redhat.com/support/offerings/techpreview
6. Contact:
The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFUD+P4XlSAg2UNWIIRAqj+AJ9AcGh+/6lzUWj8lzEdZnRSC8+9ogCfQDcR
yjAl4kEfr8cOgKvP62Dz0xk=
=O0P6
-----END PGP SIGNATURE-----
More information about the Jboss-watch-list
mailing list