It was discovered that in certain configurations, the Thermostat agent discloses JMX management URLs of all local Java virtual machines to any local user. This allows local users to increase their privileges. Acknowledgements: This issue was discovered by Elliott Baron of Red Hat.
Created attachment 962535 [details] agent-proxy-remove-rmi-v2.patch Proposed upstream patch by Elliott Baron
External References: http://icedtea.classpath.org/pipermail/thermostat-announce/2014-December/000013.html
This issue has been addressed in the following products: Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS Via RHSA-2014:2000 https://rhn.redhat.com/errata/RHSA-2014-2000.html
thermostat-1.0.6-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
thermostat-1.0.6-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.