{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright © Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "This advisory contains instructions on how to resolve one security issue\nin the Elasticsearch component in Red Hat JBoss Fuse and A-MQ 6.1.0.\n\nRed Hat Product Security has rated this security issue as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,\nflexible, open source enterprise service bus and integration platform. Red\nHat JBoss A-MQ, based on Apache ActiveMQ, is a standards-compliant\nmessaging system that is tailored for use in mission critical applications.\n\nRed Hat JBoss Fuse and A-MQ include the insight plug-in, which provides\ninsight into a Fuse Fabric using Elasticsearch to query data for logs,\nmetrics or historic Camel messages. This plug-in is not enabled by default,\nand is provided as a technology preview. If it is enabled by installing the\nfeature, for example:\n\nJBossFuse:karaf@root> features:install insight-elasticsearch\n\nThen an Elasticsearch server will be started. It was discovered that the\ndefault configuration of Elasticsearch enabled dynamic scripting, allowing\na remote attacker to execute arbitrary MVEL expressions and Java code via\nthe source parameter passed to _search. (CVE-2014-3120)\n\nAll users of Red Hat JBoss Fuse and A-MQ 6.1.0 as provided from the Red Hat\nCustomer Portal who have enabled Elasticsearch are advised to follow the\ninstructions provided in the Solution section of this advisory.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2014:1170",
        "url": "https://access.redhat.com/errata/RHSA-2014:1170"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/solutions/1191453",
        "url": "https://access.redhat.com/solutions/1191453"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/solutions/1189133",
        "url": "https://access.redhat.com/solutions/1189133"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/support/offerings/techpreview",
        "url": "https://access.redhat.com/support/offerings/techpreview"
      },
      {
        "category": "external",
        "summary": "1124252",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1124252"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_1170.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.1.0 security update",
    "tracking": {
      "current_release_date": "2026-03-18T01:35:51+00:00",
      "generator": {
        "date": "2026-03-18T01:35:51+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.3"
        }
      },
      "id": "RHSA-2014:1170",
      "initial_release_date": "2014-09-10T05:33:20+00:00",
      "revision_history": [
        {
          "date": "2014-09-10T05:33:20+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2019-02-20T12:33:31+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-03-18T01:35:51+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss A-MQ 6.1",
                "product": {
                  "name": "Red Hat JBoss A-MQ 6.1",
                  "product_id": "Red Hat JBoss A-MQ 6.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_amq:6.1.0"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat JBoss Fuse 6.1",
                "product": {
                  "name": "Red Hat JBoss Fuse 6.1",
                  "product_id": "Red Hat JBoss Fuse 6.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_fuse:6.1.0"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Fuse"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2014-3120",
      "cwe": {
        "id": "CWE-749",
        "name": "Exposed Dangerous Method or Function"
      },
      "discovery_date": "2014-07-28T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1124252"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was discovered that the default configuration of Elasticsearch enabled dynamic scripting, allowing a remote attacker to execute arbitrary MVEL expressions and Java code via the source parameter passed to _search.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "elasticsearch: remote code execution flaw via dynamic scripting",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "On Subscription Asset Manager (SAM) 1, the elasticsearch service is only bound to the loopback interface by default. To exploit this issue on a SAM 1 system, an attacker must have local access to the system. On Red Hat JBoss Fuse and Red Hat JBoss A-MQ, the elasticsearch service is only started if the insight-elasticsearch feature is installed. This feature is not installed by default.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss A-MQ 6.1",
          "Red Hat JBoss Fuse 6.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-3120"
        },
        {
          "category": "external",
          "summary": "RHBZ#1124252",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1124252"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-3120",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-3120"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-3120",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3120"
        },
        {
          "category": "external",
          "summary": "https://access.redhat.com/solutions/1191453",
          "url": "https://access.redhat.com/solutions/1191453"
        },
        {
          "category": "external",
          "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
          "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
        }
      ],
      "release_date": "2013-12-09T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-09-10T05:33:20+00:00",
          "details": "To mitigate this issue, follow the instructions at\nhttps://access.redhat.com/solutions/1191453\n\nFor more information, refer to https://access.redhat.com/solutions/1189133",
          "product_ids": [
            "Red Hat JBoss A-MQ 6.1",
            "Red Hat JBoss Fuse 6.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:1170"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss A-MQ 6.1",
            "Red Hat JBoss Fuse 6.1"
          ]
        }
      ],
      "threats": [
        {
          "category": "exploit_status",
          "date": "2022-03-25T00:00:00+00:00",
          "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
        },
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "elasticsearch: remote code execution flaw via dynamic scripting"
    }
  ]
}