It was discovered that the default configuration of Elasticsearch enabled dynamic scripting, allowing a remote attacker to execute arbitrary MVEL expressions and Java code via the source parameter passed to _search.
Find out more about CVE-2014-3120 from the MITRE CVE dictionary dictionary and NIST NVD.
On Subscription Asset Manager (SAM) 1, the elasticsearch service is only bound to the loopback interface by default. To exploit this issue on a SAM 1 system, an attacker must have local access to the system. On Red Hat JBoss Fuse and Red Hat JBoss A-MQ, the elasticsearch service is only started if the insight-elasticsearch feature is installed. This feature is not installed by default.
| Base Score | 6.8 |
|---|---|
| Base Metrics | AV:N/AC:M/Au:N/C:P/I:P/A:P |
| Access Vector | Network |
| Access Complexity | Medium |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | Partial |
| Availability Impact | Partial |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
| Platform | Errata | Release Date |
|---|---|---|
| Fuse Management Console 7.1.0 | RHSA-2014:1171 | 2014-09-10 |
| Fuse MQ Enterprise 7.1.0 | RHSA-2014:1171 | 2014-09-10 |
| Fuse ESB Enterprise 7.1.0 | RHSA-2014:1171 | 2014-09-10 |
| Red Hat Subscription Asset Manager 1.4 (katello-configure) | RHSA-2014:1186 | 2014-09-11 |
| Platform | Package | State |
|---|---|---|
| Red Hat Subscription Asset Manager 1 | elasticsearch | Affected |
| Red Hat Satellite 6 | elasticsearch | Not affected |
Vulmon