Bug 1368864 (CVE-2016-6330) - CVE-2016-6330 JON: incomplete fix for CVE-2016-3737
Summary: CVE-2016-6330 JON: incomplete fix for CVE-2016-3737
Alias: CVE-2016-6330
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
Blocks: 1368866
TreeView+ depends on / blocked
Reported: 2016-08-22 01:01 UTC by Jason Shepherd
Modified: 2021-02-17 03:26 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-06-08 02:57:33 UTC

Attachments (Terms of Use)

Description Jason Shepherd 2016-08-22 01:01:48 UTC
The fix for CVE-2016-3737 in JON 3.3.6 was deemed to be incomplete. While we included a documentation fix in the installation guide which explained how to mitigate the issue, we provided misleading information in the security advisory for JON 3.3.6, that it was fixed by that update, which was not correct. To fix this issue, you need to configure SSL authentication for the JON Server/Agent communication. Please see the documentation for details on how to do that: https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Operations_Network/3.3/html/Admin_and_Config/JBoss_ON_and_SSL-Authentication.html
It is not feasible to correct this issue with a code change as client SSL certificates need to be created in order to support client authentication.  The Administration and Configuration guide notes how to mitigate this through the creation of certificates to support SSL authentication.  This mitigation is the best way to correct this issue and, as a result, we will not be releasing any patches to correct the issue.

Comment 1 Jason Shepherd 2016-08-22 01:10:45 UTC

Apply the configuration changes described in the documentation here: https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Operations_Network/3.3/html/Admin_and_Config/JBoss_ON_and_SSL-Authentication.html
For more information, refer to https://access.redhat.com/articles/2570101.

Note You need to log in before you can comment on or make changes to this bug.