Bug 1124252 (CVE-2014-3120) - CVE-2014-3120 elasticsearch: remote code execution flaw via dynamic scripting
Summary: CVE-2014-3120 elasticsearch: remote code execution flaw via dynamic scripting
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-3120
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1125071 1125072
Blocks: 1124259 1125074
TreeView+ depends on / blocked
 
Reported: 2014-07-29 07:25 UTC by Murray McAllister
Modified: 2019-09-29 13:20 UTC (History)
15 users (show)

Fixed In Version: elasticsearch 1.2.0
Doc Type: Bug Fix
Doc Text:
It was discovered that the default configuration of Elasticsearch enabled dynamic scripting, allowing a remote attacker to execute arbitrary MVEL expressions and Java code via the source parameter passed to _search.
Clone Of:
Environment:
Last Closed: 2014-09-11 21:36:14 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1170 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse/A-MQ 6.1.0 security update 2014-09-10 09:33:21 UTC
Red Hat Product Errata RHSA-2014:1171 normal SHIPPED_LIVE Important: Fuse ESB Enterprise/Fuse MQ Enterprise 7.1.0 update 2014-09-10 09:43:30 UTC
Red Hat Product Errata RHSA-2014:1186 normal SHIPPED_LIVE Important: katello-configure security update 2014-09-12 01:18:39 UTC

Description Murray McAllister 2014-07-29 07:25:46 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2014-3120 to
the following vulnerability:

Name: CVE-2014-3120
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3120
Assigned: 20140429
Reference: EXPLOIT-DB:33370
Reference: http://www.exploit-db.com/exploits/33370
Reference: http://bouk.co/blog/elasticsearch-rce/
Reference: http://www.rapid7.com/db/modules/exploit/multi/elasticsearch/script_mvel_rce
Reference: https://www.found.no/foundation/elasticsearch-security/#staying-safe-while-developing-with-elasticsearch
Reference: http://www.securityfocus.com/bid/67731
Reference: OSVDB:106949
Reference: http://www.osvdb.org/106949

The default configuration in Elasticsearch before 1.2 enables dynamic
scripting, which allows remote attackers to execute arbitrary MVEL
expressions and Java code via the source parameter to _search.  NOTE:
this only violates the vendor's intended security policy if the user
does not run Elasticsearch in its own independent virtual machine.

As noted in <http://bouk.co/blog/elasticsearch-rce/>, adding "script.disable_dynamic: true" to elasticsearch.yml, and ensuring Elasticsearch only binds to localhost, can help mitigate this issue.

Comment 1 Tomas Hoger 2014-07-29 11:47:08 UTC
There are multiple public reports of this issue dating back to at least Nov 2013:
https://blog.liftsecurity.io/2013/11/30/elasticsearch-command-execution-using-script
https://www.found.no/foundation/elasticsearch-security/#scripting-for-fun-and-profit
http://bouk.co/blog/elasticsearch-rce/

Recent upstream blog post about (in)security of dynamic scripting:
http://www.elasticsearch.org/blog/scripting-security/

Metasploit module:
http://www.rapid7.com/db/modules/exploit/multi/elasticsearch/script_mvel_rce
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/elasticsearch/script_mvel_rce.rb

Upstream commit and bug report that changed the default value of script.disable_dynamic from false to true:
https://github.com/elasticsearch/elasticsearch/commit/81e83cca
https://github.com/elasticsearch/elasticsearch/issues/5853

Upstream documentation for the script.disable_dynamic configuration option:
http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/modules-scripting.html#_enabling_dynamic_scripting

Note that support for the 'sandbox' value was only introduced later with the addition of Groovy support.

Comment 7 David Jorm 2014-09-08 05:04:09 UTC
Statement:

On Subscription Asset Manager (SAM) 1, the elasticsearch service is only bound to the loopback interface by default. To exploit this issue on a SAM 1 system, an attacker must have local access to the system. On Red Hat JBoss Fuse and Red Hat JBoss A-MQ, the elasticsearch service is only started if the insight-elasticsearch feature is installed. This feature is not installed by default.

Comment 9 David Jorm 2014-09-10 04:10:15 UTC
External References:

https://access.redhat.com/solutions/1191453

Comment 10 errata-xmlrpc 2014-09-10 05:33:31 UTC
This issue has been addressed in following products:

  Red Hat JBoss Fuse and A-MQ 6.0.0

Via RHSA-2014:1170 https://rhn.redhat.com/errata/RHSA-2014-1170.html

Comment 11 errata-xmlrpc 2014-09-10 05:43:40 UTC
This issue has been addressed in following products:

  Fuse ESB Enterprise/MQ Enterprise 7.1.0

Via RHSA-2014:1171 https://rhn.redhat.com/errata/RHSA-2014-1171.html

Comment 12 Martin Prpič 2014-09-11 09:14:20 UTC
IssueDescription:

It was discovered that the default configuration of Elasticsearch enabled dynamic scripting, allowing a remote attacker to execute arbitrary MVEL expressions and Java code via the source parameter passed to _search.

Comment 13 errata-xmlrpc 2014-09-11 21:18:45 UTC
This issue has been addressed in the following products:

  Red Hat Subscription Asset Manager 1.4

Via RHSA-2014:1186 https://rhn.redhat.com/errata/RHSA-2014-1186.html


Note You need to log in before you can comment on or make changes to this bug.