The fix for CVE-2016-3737 in JON 3.3.6 was deemed to be incomplete. While we included a documentation fix in the installation guide which explained how to mitigate the issue, we provided misleading information in the security advisory for JON 3.3.6, that it was fixed by that update, which was not correct. To fix this issue, you need to configure SSL authentication for the JON Server/Agent communication. Please see the documentation for details on how to do that: https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Operations_Network/3.3/html/Admin_and_Config/JBoss_ON_and_SSL-Authentication.html It is not feasible to correct this issue with a code change as client SSL certificates need to be created in order to support client authentication. The Administration and Configuration guide notes how to mitigate this through the creation of certificates to support SSL authentication. This mitigation is the best way to correct this issue and, as a result, we will not be releasing any patches to correct the issue.
Mitigation: Apply the configuration changes described in the documentation here: https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Operations_Network/3.3/html/Admin_and_Config/JBoss_ON_and_SSL-Authentication.html For more information, refer to https://access.redhat.com/articles/2570101.