Source: elasticsearch Severity: grave Tags: security upstream fixed-upstream
Hi Hilko, I see elasticsearch entered unstable now. Some time ago the following vulnerability was published for elasticsearch. CVE-2014-3120[0]: | The default configuration in Elasticsearch before 1.2 enables dynamic | scripting, which allows remote attackers to execute arbitrary MVEL | expressions and Java code via the source parameter to _search. NOTE: | this only violates the vendor's intended security policy if the user | does not run Elasticsearch in its own independent virtual machine. If I understand it correctly, the value or this defaults to false, more references are in Red Hat's Bugzilla[1]. Could you check elasticsearch for this? If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3120 https://security-tracker.debian.org/tracker/CVE-2014-3120 [1] https://bugzilla.redhat.com/show_bug.cgi?id=1124252 [2] https://github.com/elasticsearch/elasticsearch/issues/5853 [3] https://github.com/elasticsearch/elasticsearch/commit/81e83cca Regards, Salvatore __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
