-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Fuse/A-MQ 6.1.0 security update
Advisory ID:       RHSA-2014:1170-01
Product:           Red Hat JBoss Fuse
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-1170.html
Issue date:        2014-09-10
CVE Names:         CVE-2014-3120 
=====================================================================

1. Summary:

This advisory contains instructions on how to resolve one security issue
in the Elasticsearch component in Red Hat JBoss Fuse and A-MQ 6.1.0.

Red Hat Product Security has rated this security issue as having Important
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

2. Description:

Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,
flexible, open source enterprise service bus and integration platform. Red
Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant
messaging system that is tailored for use in mission critical applications.

Red Hat JBoss Fuse and A-MQ include the insight plug-in, which provides
insight into a Fuse Fabric using Elasticsearch to query data for logs,
metrics or historic Camel messages. This plug-in is not enabled by default,
and is provided as a technology preview. If it is enabled by installing the
feature, for example:

JBossFuse:karaf@root> features:install insight-elasticsearch

Then an Elasticsearch server will be started. It was discovered that the
default configuration of Elasticsearch enabled dynamic scripting, allowing
a remote attacker to execute arbitrary MVEL expressions and Java code via
the source parameter passed to _search. (CVE-2014-3120)

All users of Red Hat JBoss Fuse and A-MQ 6.1.0 as provided from the Red Hat
Customer Portal who have enabled Elasticsearch are advised to follow the
instructions provided in the Solution section of this advisory.

3. Solution:

To mitigate this issue, follow the instructions at
https://access.redhat.com/solutions/1191453

For more information, refer to https://access.redhat.com/solutions/1189133

4. Bugs fixed (https://bugzilla.redhat.com/):

1124252 - CVE-2014-3120 elasticsearch: remote code execution flaw via dynamic scripting

5. References:

https://www.redhat.com/security/data/cve/CVE-2014-3120.html
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/solutions/1191453
https://access.redhat.com/solutions/1189133
https://access.redhat.com/support/offerings/techpreview

6. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFUD+P4XlSAg2UNWIIRAqj+AJ9AcGh+/6lzUWj8lzEdZnRSC8+9ogCfQDcR
yjAl4kEfr8cOgKvP62Dz0xk=
=O0P6
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce