Bug 1359002

Summary: Remove unsupported Python scripting module
Product: [JBoss] JBoss Operations Network Reporter: Jason Shepherd <jshepherd>
Component: CLIAssignee: Simeon Pinder <spinder>
Status: CLOSED ERRATA QA Contact: Mike Foley <mfoley>
Severity: high Docs Contact:
Priority: high    
Version: JON 3.3.6CC: fbrychta, spinder
Target Milestone: CR01Keywords: Triaged
Target Release: JON 3.3.7   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-31 16:59:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jason Shepherd 2016-07-22 05:01:21 UTC 
Description of problem:

The Jython library is on the the classpath. If users fail to enable authentication between client and server, a malicious payload, including a reference to the Jython libary, could be send which allows code execution when deserialized.

In JON 3.3.x jython repackaged in a JAR called "rhq-scripting-python-4.12.0.JON330GA.jar". This library can be found in
the shared libraries under modules/org/rhq/server-startup/main/deployments/rq.ear/lib/.

Version-Release number of selected component (if applicable):

I'm guessing this library is part of CLI component, I'm not sure.

How reproducible:


See https://bugzilla.redhat.com/show_bug.cgi?id=1333618
Comment 1 Jason Shepherd 2016-08-10 23:48:59 UTC 
I suggestion for fixing this issue is to remove the rhq-scripting-python library.
Comment 5 errata-xmlrpc 2016-08-31 16:59:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-1785.html