Red Hat Bugzilla – Bug 1124252
CVE-2014-3120 elasticsearch: remote code execution flaw via dynamic scripting
Last modified: 2018-02-12 14:30:00 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2014-3120 to the following vulnerability: Name: CVE-2014-3120 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3120 Assigned: 20140429 Reference: EXPLOIT-DB:33370 Reference: http://www.exploit-db.com/exploits/33370 Reference: http://bouk.co/blog/elasticsearch-rce/ Reference: http://www.rapid7.com/db/modules/exploit/multi/elasticsearch/script_mvel_rce Reference: https://www.found.no/foundation/elasticsearch-security/#staying-safe-while-developing-with-elasticsearch Reference: http://www.securityfocus.com/bid/67731 Reference: OSVDB:106949 Reference: http://www.osvdb.org/106949 The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine. As noted in <http://bouk.co/blog/elasticsearch-rce/>, adding "script.disable_dynamic: true" to elasticsearch.yml, and ensuring Elasticsearch only binds to localhost, can help mitigate this issue.
There are multiple public reports of this issue dating back to at least Nov 2013: https://blog.liftsecurity.io/2013/11/30/elasticsearch-command-execution-using-script https://www.found.no/foundation/elasticsearch-security/#scripting-for-fun-and-profit http://bouk.co/blog/elasticsearch-rce/ Recent upstream blog post about (in)security of dynamic scripting: http://www.elasticsearch.org/blog/scripting-security/ Metasploit module: http://www.rapid7.com/db/modules/exploit/multi/elasticsearch/script_mvel_rce https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/elasticsearch/script_mvel_rce.rb Upstream commit and bug report that changed the default value of script.disable_dynamic from false to true: https://github.com/elasticsearch/elasticsearch/commit/81e83cca https://github.com/elasticsearch/elasticsearch/issues/5853 Upstream documentation for the script.disable_dynamic configuration option: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/modules-scripting.html#_enabling_dynamic_scripting Note that support for the 'sandbox' value was only introduced later with the addition of Groovy support.
Statement: On Subscription Asset Manager (SAM) 1, the elasticsearch service is only bound to the loopback interface by default. To exploit this issue on a SAM 1 system, an attacker must have local access to the system. On Red Hat JBoss Fuse and Red Hat JBoss A-MQ, the elasticsearch service is only started if the insight-elasticsearch feature is installed. This feature is not installed by default.
External References: https://access.redhat.com/solutions/1191453
This issue has been addressed in following products: Red Hat JBoss Fuse and A-MQ 6.0.0 Via RHSA-2014:1170 https://rhn.redhat.com/errata/RHSA-2014-1170.html
This issue has been addressed in following products: Fuse ESB Enterprise/MQ Enterprise 7.1.0 Via RHSA-2014:1171 https://rhn.redhat.com/errata/RHSA-2014-1171.html
IssueDescription: It was discovered that the default configuration of Elasticsearch enabled dynamic scripting, allowing a remote attacker to execute arbitrary MVEL expressions and Java code via the source parameter passed to _search.
This issue has been addressed in the following products: Red Hat Subscription Asset Manager 1.4 Via RHSA-2014:1186 https://rhn.redhat.com/errata/RHSA-2014-1186.html