Bug 781964 (CVE-2012-0052)

Summary: CVE-2012-0052 JON: Unapproved agents can connect using the name of an existing approved agent
Product: [Other] Security Response Reporter: David Jorm <djorm>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: mjc, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-20 17:34:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 781965, 804887    

Description David Jorm 2012-01-16 07:53:31 UTC
If a JON agent is registered in a JON server's inventory with a given name, then any other agent can connect to the JON server and assume the identity of this registered agent simply by assuming its agent name. The JON agent key is not verified, allowing malicious JON agents to connect to the server.

Comment 3 errata-xmlrpc 2012-02-01 21:59:01 UTC
This issue has been addressed in following products:

  JBoss Operations Network 2.4.2

Via RHSA-2012:0089 https://rhn.redhat.com/errata/RHSA-2012-0089.html

Comment 4 errata-xmlrpc 2012-03-20 17:09:28 UTC
This issue has been addressed in following products:

  JBoss Operations Network 3.0.1

Via RHSA-2012:0406 https://rhn.redhat.com/errata/RHSA-2012-0406.html