Description of problem: The Jython library is on the the classpath. If users fail to enable authentication between client and server, a malicious payload, including a reference to the Jython libary, could be send which allows code execution when deserialized. In JON 3.3.x jython repackaged in a JAR called "rhq-scripting-python-4.12.0.JON330GA.jar". This library can be found in the shared libraries under modules/org/rhq/server-startup/main/deployments/rq.ear/lib/. Version-Release number of selected component (if applicable): I'm guessing this library is part of CLI component, I'm not sure. How reproducible: See https://bugzilla.redhat.com/show_bug.cgi?id=1333618
I suggestion for fixing this issue is to remove the rhq-scripting-python library.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-1785.html