Bug 1359002 - Remove unsupported Python scripting module
Summary: Remove unsupported Python scripting module
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: JBoss Operations Network
Classification: JBoss
Component: CLI
Version: JON 3.3.6
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: CR01
: JON 3.3.7
Assignee: Simeon Pinder
QA Contact: Mike Foley
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-22 05:01 UTC by Jason Shepherd
Modified: 2017-02-14 01:56 UTC (History)
2 users (show)

Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-08-31 16:59:39 UTC
Type: Bug

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1785 normal SHIPPED_LIVE Moderate: Red Hat JBoss Operations Network 3.3.7 security and bug fix update 2017-09-05 16:48:45 UTC
Red Hat Bugzilla 1367481 None CLOSED Remove mention of Python from scripting modules note 2019-08-02 18:51:52 UTC

Internal Links: 1367481

Description Jason Shepherd 2016-07-22 05:01:21 UTC 
Description of problem:

The Jython library is on the the classpath. If users fail to enable authentication between client and server, a malicious payload, including a reference to the Jython libary, could be send which allows code execution when deserialized.

In JON 3.3.x jython repackaged in a JAR called "rhq-scripting-python-4.12.0.JON330GA.jar". This library can be found in
the shared libraries under modules/org/rhq/server-startup/main/deployments/rq.ear/lib/.

Version-Release number of selected component (if applicable):

I'm guessing this library is part of CLI component, I'm not sure.

How reproducible:


See https://bugzilla.redhat.com/show_bug.cgi?id=1333618
Comment 1 Jason Shepherd 2016-08-10 23:48:59 UTC 
I suggestion for fixing this issue is to remove the rhq-scripting-python library.
Comment 5 errata-xmlrpc 2016-08-31 16:59:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-1785.html
Note You need to log in before you can comment on or make changes to this bug.