Red Hat Security Advisory 2014-1186-01 – The katello-configure package provides the katello-configure script, which configures the Katello installation, and the katello-upgrade script, which handles upgrades between versions. It was discovered that the default configuration of Elasticsearch enabled dynamic scripting, allowing a remote attacker to execute arbitrary MVEL expressions and Java code via the source parameter passed to _search. All Subscription Asset Manager users are advised to upgrade to this updated package. The update provides a script that modifies the elasticsearch.yml configuration file to disable dynamic scripting. After updating, run the “katello-configure” command. This will update the elasticsearch.yml configuration file and restart the elasticsearch service.