Description of problem:
The Jython library is on the the classpath. If users fail to enable authentication between client and server, a malicious payload, including a reference to the Jython libary, could be send which allows code execution when deserialized.
In JON 3.3.x jython repackaged in a JAR called "rhq-scripting-python-4.12.0.JON330GA.jar". This library can be found in
the shared libraries under modules/org/rhq/server-startup/main/deployments/rq.ear/lib/.
Version-Release number of selected component (if applicable):
I'm guessing this library is part of CLI component, I'm not sure.
I suggestion for fixing this issue is to remove the rhq-scripting-python library.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.