JBoss Operations Network server deserializes data, and does not require authentication. A malicious payload could be crafted, and sent to a server which when deserialized causes remote code execution.
A workaround for this issue it to enable client authentication between servers and agents: https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Operations_Network/3.3/html/Admin_and_Config/JBoss_ON_and_SSL-Authentication.html
This issue has been addressed in the following products: Red Hat JBoss Operations Network 3.3.6 Via RHSA-2016:1519 https://rhn.redhat.com/errata/RHSA-2016-1519.html
Despite it previously being described as a workaround, the configuration change documented below is the actual solution to this issue. https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Operations_Network/3.3/html/Admin_and_Config/JBoss_ON_and_SSL-Authentication.html
Mitigation: Apply the configuration changes described in the documentation here: https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Operations_Network/3.3/html/Admin_and_Config/JBoss_ON_and_SSL-Authentication.html For more information, refer to https://access.redhat.com/articles/2570101.
Statement: It is not feasible to correct this issue with a code change as client SSL certificates need to be created in order to support client authentication. The installation documentation notes how to mitigate this through the creation of certificates to support SSL authentication. This mitigation is the best way to correct this issue and, as a result, we will not be releasing any patches to correct the issue.
Acknowledgments: Name: Jason Shepherd (Red Hat)