JBoss Operations Network server does not correctly restrict access to certain remote APIs. A remote, unauthenticated attacker could use this flaw to execute arbitrary Java methods via ServerInvokerServlet or SchedulerService, and possibly exhaust all available disk space
Acknowledgement: Red Hat would like to thank Alessandro Cavaliere for reporting this issue.
This has been made public in https://github.com/rhq-project/rhq/pull/159
This issue has been addressed in the following products: Red Hat JBoss Operations Network 3.3 Via RHSA-2015:0862 https://rhn.redhat.com/errata/RHSA-2015-0862.html