Bug#759736: elasticsearch: CVE-2014-3120

Potter, Tim (Cloud Services) timothy.potter at hp.com
Mon Sep 1 08:05:34 UTC 2014 

On 30/08/14 5:37 AM, "Salvatore Bonaccorso" <carnil at debian.org> wrote:

>Source: elasticsearch
>Severity: grave
>Tags: security upstream fixed-upstream
>
>Hi Hilko,
>
>I see elasticsearch entered unstable now. Some time ago the following
>vulnerability was published for elasticsearch.
>
>CVE-2014-3120[0]:
>| The default configuration in Elasticsearch before 1.2 enables dynamic
>| scripting, which allows remote attackers to execute arbitrary MVEL
>| expressions and Java code via the source parameter to _search.  NOTE:
>| this only violates the vendor's intended security policy if the user
>| does not run Elasticsearch in its own independent virtual machine.
>
>If I understand it correctly, the value or this defaults to false,
>more references are in Red Hat's Bugzilla[1]. Could you check
>elasticsearch for this?

Hi Salvatore.  I've checked the current version in the archive and it
definitely is vulnerable.  I've made a patch and am just running some
build tests now.

I'm hoping that Hilko can make an upload as I'm not on the uploaders list,
and don't really know how anyway.

>If you fix the vulnerability please also make sure to include the
>CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

Done.

>For further information see:
>
>[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3120
>    https://security-tracker.debian.org/tracker/CVE-2014-3120
>[1] https://bugzilla.redhat.com/show_bug.cgi?id=1124252
>[2] https://github.com/elasticsearch/elasticsearch/issues/5853
>[3] https://github.com/elasticsearch/elasticsearch/commit/81e83cca

These were great resources - thanks for including them in the message.


Tim Potter
Cloud Systems Engineer
HP Cloud Services

timothy.potter at hp.com
M +61 419 749 832
Hewlett-Packard Australia Pty Ltd

This e-mail may contain confidential and privileged material for the sole
use of the intended recipient. Any review, use, distribution or disclosure
by others is strictly prohibited. If you are not the intended recipient
(or authorised to receive for the recipient), please contact the sender by
reply e-mail and delete all copies of this message.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5480 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20140901/7ecbbc87/attachment-0003.bin>

More information about the pkg-java-maintainers mailing list