CVE-2014-3120 - OpenCVE

The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Elasticsearch	Elasticsearch

Configuration 1 [-]

cpe:2.3:a:elasticsearch:elasticsearch:*:*:*:*:*:*:*:*

References

Link	Resource
http://bouk.co/blog/elasticsearch-rce/	Exploit
http://www.exploit-db.com/exploits/33370	Exploit
http://www.osvdb.org/106949
http://www.rapid7.com/db/modules/exploit/multi/elasticsearch/script_mvel_rce	Exploit Third Party Advisory
http://www.securityfocus.com/bid/67731	Exploit
https://www.elastic.co/blog/logstash-1-4-3-released	Vendor Advisory
https://www.elastic.co/community/security/	Vendor Advisory
https://www.found.no/foundation/elasticsearch-security/#staying-safe-while-developing-with-elasticsearch	Exploit

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2014-07-28T19:00:00

Updated: 2015-06-15T14:57:00

Reserved: 2014-04-29T00:00:00

Link: CVE-2014-3120

JSON object: View

NVD Information

Status : Analyzed

Published: 2014-07-28T19:55:04.490

Modified: 2016-12-06T18:13:40.637

Link: CVE-2014-3120

JSON object: View

Redhat Information

No data.

CWE

CWE-284

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-05-15T00:00:00", "descriptions": [{"lang": "en", "value": "The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2015-06-15T14:57:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.elastic.co/blog/logstash-1-4-3-released"}, {"name": "33370", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "http://www.exploit-db.com/exploits/33370"}, {"name": "67731", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/67731"}, {"name": "106949", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://www.osvdb.org/106949"}, {"tags": ["x_refsource_MISC"], "url": "http://bouk.co/blog/elasticsearch-rce/"}, {"tags": ["x_refsource_MISC"], "url": "http://www.rapid7.com/db/modules/exploit/multi/elasticsearch/script_mvel_rce"}, {"tags": ["x_refsource_MISC"], "url": "https://www.found.no/foundation/elasticsearch-security/#staying-safe-while-developing-with-elasticsearch"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.elastic.co/community/security/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-3120", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.elastic.co/blog/logstash-1-4-3-released", "refsource": "CONFIRM", "url": "https://www.elastic.co/blog/logstash-1-4-3-released"}, {"name": "33370", "refsource": "EXPLOIT-DB", "url": "http://www.exploit-db.com/exploits/33370"}, {"name": "67731", "refsource": "BID", "url": "http://www.securityfocus.com/bid/67731"}, {"name": "106949", "refsource": "OSVDB", "url": "http://www.osvdb.org/106949"}, {"name": "http://bouk.co/blog/elasticsearch-rce/", "refsource": "MISC", "url": "http://bouk.co/blog/elasticsearch-rce/"}, {"name": "http://www.rapid7.com/db/modules/exploit/multi/elasticsearch/script_mvel_rce", "refsource": "MISC", "url": "http://www.rapid7.com/db/modules/exploit/multi/elasticsearch/script_mvel_rce"}, {"name": "https://www.found.no/foundation/elasticsearch-security/#staying-safe-while-developing-with-elasticsearch", "refsource": "MISC", "url": "https://www.found.no/foundation/elasticsearch-security/#staying-safe-while-developing-with-elasticsearch"}, {"name": "https://www.elastic.co/community/security/", "refsource": "CONFIRM", "url": "https://www.elastic.co/community/security/"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-3120", "datePublished": "2014-07-28T19:00:00", "dateReserved": "2014-04-29T00:00:00", "dateUpdated": "2015-06-15T14:57:00", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"cisaActionDue": "2022-04-15", "cisaExploitAdd": "2022-03-25", "cisaRequiredAction": "Apply updates per vendor instructions.", "cisaVulnerabilityName": "Elasticsearch Remote Code Execution Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elasticsearch:elasticsearch:*:*:*:*:*:*:*:*", "matchCriteriaId": "B31061F1-66B7-4F12-93CE-685F82BCB17B", "versionEndIncluding": "1.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine."}, {"lang": "es", "value": "La configuraci\u00f3n por defecto en Elasticsearch anterior a 1.2 habilita secuencias de comandos din\u00e1micos, lo que permite a atacantes remotos ejecutar expresiones MVEL arbitrarias y c\u00f3digo Java a trav\u00e9s del par\u00e1metro source en _search. NOTA: esto solamente viola la pol\u00edtica de seguridad del proveedor si el usuario no hace funcionar Elasticsearch en su propia maquina virtual independiente."}], "id": "CVE-2014-3120", "lastModified": "2016-12-06T18:13:40.637", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-07-28T19:55:04.490", "references": [{"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://bouk.co/blog/elasticsearch-rce/"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.exploit-db.com/exploits/33370"}, {"source": "cve@mitre.org", "url": "http://www.osvdb.org/106949"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "http://www.rapid7.com/db/modules/exploit/multi/elasticsearch/script_mvel_rce"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/67731"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.elastic.co/blog/logstash-1-4-3-released"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.elastic.co/community/security/"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "https://www.found.no/foundation/elasticsearch-security/#staying-safe-while-developing-with-elasticsearch"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "nvd@nist.gov", "type": "Primary"}]}