-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Fuse ESB Enterprise/Fuse MQ Enterprise 7.1.0 update
Advisory ID:       RHSA-2014:1171-01
Product:           Fuse Enterprise Middleware
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-1171.html
Issue date:        2014-09-10
CVE Names:         CVE-2014-3120 
=====================================================================

1. Summary:

This advisory contains instructions on how to resolve one security issue
in the Elasticsearch component in Fuse ESB Enterprise and Fuse MQ
Enterprise 7.1.0.

Red Hat Product Security has rated this security issue as having Important
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

2. Description:

Fuse ESB Enterprise is an integration platform based on Apache ServiceMix.
Fuse MQ Enterprise, based on Apache ActiveMQ, is a standards-compliant
messaging system that is tailored for use in mission critical applications.

Fuse ESB Enterprise and Fuse MQ Enterprise include the insight plug-in,
which provides insight into a Fuse Fabric using Elasticsearch to query data
for logs, metrics or historic Camel messages. This plug-in is not enabled
by default, and is provided as a technology preview. If it is enabled by
installing the feature, for example:

JBossFuse:karaf@root> features:install insight-elasticsearch

Then an Elasticsearch server will be started. It was discovered that the
default configuration of Elasticsearch enabled dynamic scripting, allowing
a remote attacker to execute arbitrary MVEL expressions and Java code via
the source parameter passed to _search. (CVE-2014-3120)

All users of Fuse ESB Enterprise and Fuse MQ Enterprise 7.1.0 as provided
from the Red Hat Customer Portal who have enabled Elasticsearch are advised
to follow the instructions provided in the Solution section of this
advisory.

3. Solution:

To mitigate this issue, follow the instructions at
https://access.redhat.com/solutions/1191453

For more information, refer to https://access.redhat.com/solutions/1189133

4. Bugs fixed (https://bugzilla.redhat.com/):

1124252 - CVE-2014-3120 elasticsearch: remote code execution flaw via dynamic scripting

5. References:

https://www.redhat.com/security/data/cve/CVE-2014-3120.html
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/solutions/1191453
https://access.redhat.com/solutions/1189133
https://access.redhat.com/support/offerings/techpreview

6. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFUD+V5XlSAg2UNWIIRAq17AJ4uaH05P7smwmn65TlUkAGQ1CxF/wCgiPT9
ErXsWqsOvWdJ/Sc97FhECP4=
=YMNu
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce