{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright © Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "This advisory contains instructions on how to resolve one security issue\nin the Elasticsearch component in Fuse ESB Enterprise and Fuse MQ\nEnterprise 7.1.0.\n\nRed Hat Product Security has rated this security issue as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Fuse ESB Enterprise is an integration platform based on Apache ServiceMix.\nFuse MQ Enterprise, based on Apache ActiveMQ, is a standards-compliant\nmessaging system that is tailored for use in mission critical applications.\n\nFuse ESB Enterprise and Fuse MQ Enterprise include the insight plug-in,\nwhich provides insight into a Fuse Fabric using Elasticsearch to query data\nfor logs, metrics or historic Camel messages. This plug-in is not enabled\nby default, and is provided as a technology preview. If it is enabled by\ninstalling the feature, for example:\n\nJBossFuse:karaf@root> features:install insight-elasticsearch\n\nThen an Elasticsearch server will be started. It was discovered that the\ndefault configuration of Elasticsearch enabled dynamic scripting, allowing\na remote attacker to execute arbitrary MVEL expressions and Java code via\nthe source parameter passed to _search. (CVE-2014-3120)\n\nAll users of Fuse ESB Enterprise and Fuse MQ Enterprise 7.1.0 as provided\nfrom the Red Hat Customer Portal who have enabled Elasticsearch are advised\nto follow the instructions provided in the Solution section of this\nadvisory.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2014:1171",
        "url": "https://access.redhat.com/errata/RHSA-2014:1171"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/solutions/1191453",
        "url": "https://access.redhat.com/solutions/1191453"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/solutions/1189133",
        "url": "https://access.redhat.com/solutions/1189133"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/support/offerings/techpreview",
        "url": "https://access.redhat.com/support/offerings/techpreview"
      },
      {
        "category": "external",
        "summary": "1124252",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1124252"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_1171.json"
      }
    ],
    "title": "Red Hat Security Advisory: Fuse ESB Enterprise/Fuse MQ Enterprise 7.1.0 update",
    "tracking": {
      "current_release_date": "2026-03-18T01:35:46+00:00",
      "generator": {
        "date": "2026-03-18T01:35:46+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.3"
        }
      },
      "id": "RHSA-2014:1171",
      "initial_release_date": "2014-09-10T05:43:30+00:00",
      "revision_history": [
        {
          "date": "2014-09-10T05:43:30+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2014-09-10T05:43:30+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-03-18T01:35:46+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Fuse ESB Enterprise 7.1.0",
                "product": {
                  "name": "Fuse ESB Enterprise 7.1.0",
                  "product_id": "Fuse ESB Enterprise 7.1.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:fuse_esb_enterprise:7.1.0"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Fuse Management Console 7.1.0",
                "product": {
                  "name": "Fuse Management Console 7.1.0",
                  "product_id": "Fuse Management Console 7.1.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:fuse_management_console:7.1.0"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Fuse MQ Enterprise 7.1.0",
                "product": {
                  "name": "Fuse MQ Enterprise 7.1.0",
                  "product_id": "Fuse MQ Enterprise 7.1.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:fuse_mq_enterprise:7.1.0"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Fuse Enterprise Middleware"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2014-3120",
      "cwe": {
        "id": "CWE-749",
        "name": "Exposed Dangerous Method or Function"
      },
      "discovery_date": "2014-07-28T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1124252"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was discovered that the default configuration of Elasticsearch enabled dynamic scripting, allowing a remote attacker to execute arbitrary MVEL expressions and Java code via the source parameter passed to _search.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "elasticsearch: remote code execution flaw via dynamic scripting",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "On Subscription Asset Manager (SAM) 1, the elasticsearch service is only bound to the loopback interface by default. To exploit this issue on a SAM 1 system, an attacker must have local access to the system. On Red Hat JBoss Fuse and Red Hat JBoss A-MQ, the elasticsearch service is only started if the insight-elasticsearch feature is installed. This feature is not installed by default.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Fuse ESB Enterprise 7.1.0",
          "Fuse MQ Enterprise 7.1.0",
          "Fuse Management Console 7.1.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-3120"
        },
        {
          "category": "external",
          "summary": "RHBZ#1124252",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1124252"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-3120",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-3120"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-3120",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3120"
        },
        {
          "category": "external",
          "summary": "https://access.redhat.com/solutions/1191453",
          "url": "https://access.redhat.com/solutions/1191453"
        },
        {
          "category": "external",
          "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
          "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
        }
      ],
      "release_date": "2013-12-09T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-09-10T05:43:30+00:00",
          "details": "To mitigate this issue, follow the instructions at\nhttps://access.redhat.com/solutions/1191453\n\nFor more information, refer to https://access.redhat.com/solutions/1189133",
          "product_ids": [
            "Fuse ESB Enterprise 7.1.0",
            "Fuse MQ Enterprise 7.1.0",
            "Fuse Management Console 7.1.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:1171"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "Fuse ESB Enterprise 7.1.0",
            "Fuse MQ Enterprise 7.1.0",
            "Fuse Management Console 7.1.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "exploit_status",
          "date": "2022-03-25T00:00:00+00:00",
          "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
        },
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "elasticsearch: remote code execution flaw via dynamic scripting"
    }
  ]
}