(RHSA-2014:1186) Important: katello-configure security update

2014-09-11T04:00:00
ID RHSA-2014:1186
Type redhat
Reporter RedHat
Modified 2018-06-07T09:01:02

Description

The katello-configure package provides the katello-configure script, which configures the Katello installation, and the katello-upgrade script, which handles upgrades between versions.

It was discovered that the default configuration of Elasticsearch enabled dynamic scripting, allowing a remote attacker to execute arbitrary MVEL expressions and Java code via the source parameter passed to _search. (CVE-2014-3120)

All Subscription Asset Manager users are advised to upgrade to this updated package. The update provides a script that modifies the elasticsearch.yml configuration file to disable dynamic scripting. After updating, run the "katello-configure" command. This will update the elasticsearch.yml configuration file and restart the elasticsearch service.