If JON is configured to use LDAP authentication, and the LDAP bind account credentials are invalid, any subsequent login attempt by a user created via LDAP will be successful with any arbitrary password.
This flaw affects JON 2.4.2 and JON 3.0.0.
This issue has been addressed in following products: JBoss Operations Network 2.4.2 Via RHSA-2012:0396 https://rhn.redhat.com/errata/RHSA-2012-0396.html
This issue has been addressed in following products: JBoss Operations Network 3.0.1 Via RHSA-2012:0406 https://rhn.redhat.com/errata/RHSA-2012-0406.html