The JON server allows agent registration to succeed under certain conditions if the registration request does not include a security token. This is a feature designed to add convenience. A remote attacker could exploit this by spoofing the identify of an approved agent and passing a null security token, allowing them to hijack the approved agent's session and steal its security token.
This issue has been addressed in following products: JBoss Operations Network 2.4.2 Via RHSA-2012:0089 https://rhn.redhat.com/errata/RHSA-2012-0089.html
This issue has been addressed in following products: JBoss Operations Network 3.0.1 Via RHSA-2012:0406 https://rhn.redhat.com/errata/RHSA-2012-0406.html