Bug#759736: elasticsearch: CVE-2014-3120
Salvatore Bonaccorso
carnil at debian.org
Fri Aug 29 19:37:01 UTC 2014
Source: elasticsearch
Severity: grave
Tags: security upstream fixed-upstream
Hi Hilko,
I see elasticsearch entered unstable now. Some time ago the following
vulnerability was published for elasticsearch.
CVE-2014-3120[0]:
| The default configuration in Elasticsearch before 1.2 enables dynamic
| scripting, which allows remote attackers to execute arbitrary MVEL
| expressions and Java code via the source parameter to _search. NOTE:
| this only violates the vendor's intended security policy if the user
| does not run Elasticsearch in its own independent virtual machine.
If I understand it correctly, the value or this defaults to false,
more references are in Red Hat's Bugzilla[1]. Could you check
elasticsearch for this?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3120
https://security-tracker.debian.org/tracker/CVE-2014-3120
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1124252
[2] https://github.com/elasticsearch/elasticsearch/issues/5853
[3] https://github.com/elasticsearch/elasticsearch/commit/81e83cca
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list