JBoss Operations Network server does not correctly restrict access to certain remote APIs.
A remote, unauthenticated attacker could use this flaw to execute arbitrary Java methods via ServerInvokerServlet or SchedulerService, and possibly exhaust all available disk space
Red Hat would like to thank Alessandro Cavaliere for reporting this issue.
This has been made public in https://github.com/rhq-project/rhq/pull/159
This issue has been addressed in the following products:
Red Hat JBoss Operations Network 3.3
Via RHSA-2015:0862 https://rhn.redhat.com/errata/RHSA-2015-0862.html