Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 518452 (CVE-2014-3120) - <app-misc/elasticsearch-1.3.2: remote code execution flaw via dynamic scripting (CVE-2014-3120)
Summary: <app-misc/elasticsearch-1.3.2: remote code execution flaw via dynamic scripti...
Status: RESOLVED FIXED
Alias: CVE-2014-3120
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~2 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-07-29 08:05 UTC by Agostino Sarubbo
Modified: 2014-09-16 14:50 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-07-29 08:05:48 UTC 
CVE-2014-3120 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3120):
  The default configuration in Elasticsearch before 1.2 enables dynamic scripting, 
  which allows remote attackers to execute arbitrary MVEL expressions and 
  Java code via the source parameter to _search. NOTE: this only violates 
  the vendor's intended security policy if the user does not run Elasticsearch 
  in its own independent virtual machine.


@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Tony Vroon (RETIRED) gentoo-dev 2014-09-16 14:18:51 UTC 
+*elasticsearch-1.3.2 (16 Sep 2014)
+
+  16 Sep 2014; Tony Vroon <chainsaw@gentoo.org> -elasticsearch-0.90.6.ebuild,
+  -elasticsearch-0.90.6-r1.ebuild, -elasticsearch-1.0.1.ebuild,
+  +elasticsearch-1.3.2.ebuild:
+  Version bump, as requested by Mark Nowiasz. With thanks to Tomas Mozes & Ivan
+  Iraci for testing in bug #507116. Removing all vulnerable versions for
+  security bug #518452.
Comment 2 Agostino Sarubbo gentoo-dev 2014-09-16 14:50:18 UTC 
Closing as noglsa.