Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1368864 - (CVE-2016-6330) CVE-2016-6330 JON: incomplete fix for CVE-2016-3737
CVE-2016-6330 JON: incomplete fix for CVE-2016-3737
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Red Hat Product Security
impact=critical,public=20160822,repor...
: Security
Depends On:
Blocks: 1368866
  Show dependency treegraph
 
Reported: 2016-08-21 21:01 EDT by Jason Shepherd
Modified: 2016-08-25 00:30 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Jason Shepherd 2016-08-21 21:01:48 EDT 
The fix for CVE-2016-3737 in JON 3.3.6 was deemed to be incomplete. While we included a documentation fix in the installation guide which explained how to mitigate the issue, we provided misleading information in the security advisory for JON 3.3.6, that it was fixed by that update, which was not correct. To fix this issue, you need to configure SSL authentication for the JON Server/Agent communication. Please see the documentation for details on how to do that: https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Operations_Network/3.3/html/Admin_and_Config/JBoss_ON_and_SSL-Authentication.html
It is not feasible to correct this issue with a code change as client SSL certificates need to be created in order to support client authentication.  The Administration and Configuration guide notes how to mitigate this through the creation of certificates to support SSL authentication.  This mitigation is the best way to correct this issue and, as a result, we will not be releasing any patches to correct the issue.
Comment 1 Jason Shepherd 2016-08-21 21:10:45 EDT 
Mitigation:

Apply the configuration changes described in the documentation here: https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Operations_Network/3.3/html/Admin_and_Config/JBoss_ON_and_SSL-Authentication.html
For more information, refer to https://access.redhat.com/articles/2570101.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.