Red Hat Security Advisory 2017-0868-01 - Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications. This patch is an update to Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3. It includes bug fixes and enhancements, which are documented in the readme.txt file included with the patch files. Multiple security issues have been addressed.
b44baec06b4aa30482485d1d8aad1f8dcd12a8a67d5b08f4763ee3b328caa8b9
This Metasploit module exploits a remote command execution (RCE) vulnerability in ElasticSearch, exploitable by default on ElasticSearch prior to 1.4.3. The bug is found in the REST API, which does not require authentication, where the search function allows groovy code execution and its sandbox can be bypassed using java.lang.Math.class.forName to reference arbitrary classes. It can be used to execute arbitrary Java code. This Metasploit module has been tested successfully on ElasticSearch 1.4.2 on Ubuntu Server 12.04.
176b7335ffc0f7911e7044aabe3ffc56753a9bee674eb8ec914eebc3bc9e46fa
Remote unauthenticated code execution exploit for ElasticSearch.
cd3dc9fb7dbfe91369c0dce0b1009312c69d72f315f06dd0dbd6b7ee01087c61
Elasticsearch versions 1.3.0 through 1.3.7 and 1.4.0 through 1.4.2 have vulnerabilities in the Groovy scripting engine. The vulnerabilities allow an attacker to construct Groovy scripts that escape the sandbox and execute shell commands as the user running the Elasticsearch Java VM.
66145cb4fc4b97a9b78472aa53007c7b5848d4c52871e4d2f47327bd5f50ccae