Bug 1368864 (CVE-2016-6330)

Summary: CVE-2016-6330 JON: incomplete fix for CVE-2016-3737
Product: [Other] Security Response Reporter: Jason Shepherd <jshepherd>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: jshepherd, miburman, spinder, theute
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:57:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1368866    

Description Jason Shepherd 2016-08-22 01:01:48 UTC 
The fix for CVE-2016-3737 in JON 3.3.6 was deemed to be incomplete. While we included a documentation fix in the installation guide which explained how to mitigate the issue, we provided misleading information in the security advisory for JON 3.3.6, that it was fixed by that update, which was not correct. To fix this issue, you need to configure SSL authentication for the JON Server/Agent communication. Please see the documentation for details on how to do that: https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Operations_Network/3.3/html/Admin_and_Config/JBoss_ON_and_SSL-Authentication.html
It is not feasible to correct this issue with a code change as client SSL certificates need to be created in order to support client authentication.  The Administration and Configuration guide notes how to mitigate this through the creation of certificates to support SSL authentication.  This mitigation is the best way to correct this issue and, as a result, we will not be releasing any patches to correct the issue.
Comment 1 Jason Shepherd 2016-08-22 01:10:45 UTC 
Mitigation:

Apply the configuration changes described in the documentation here: https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Operations_Network/3.3/html/Admin_and_Config/JBoss_ON_and_SSL-Authentication.html
For more information, refer to https://access.redhat.com/articles/2570101.