How to fix CVE-2016-3737 in JBoss Operations Network 3.x

Issue

There is a critical vulnerability in JBoss Operations Network 3.x which allows remote code execution. It is not feasible to correct this issue with a code change as client SSL certificates need to be created in order to support client authentication. The security advisory RHSA-2016-:1519 described the CVE-2016-3737 flaw in the way which implied the issue was addressed via a code fix included in the 3.3.6 release. However, the issue was actually addressed by updating the JON installation guide to document configuration changes that need to be applied manually to mitigate the issue.

Affected Products

• JBoss Operations Network (JON) 3.x

Solution

Users of JON are recommended to upgrade to at least version 3.3.7 which includes the latest security patches, and SSL bug fixes. After upgrading users need to manually configure SSL client authentication as described in the "Setting up Client Authentication Between Servers and Agents" section of the "Configuring JON Servers and Agents" guide.

Further Information

In RHSA-2016:1519 we described CVE-2016-3737 as being fixed by upgrading to version 3.3.6. However it was not clear that you needed to manually apply configuration changes in order to be secure. Therefore we updated RHSA-2016:1519 and issued a new CVE (CVE-2016-6330) to describe the incomplete fix. Users who upgraded to 3.3.6, are advised to upgrade to the latest version of JON (3.3.7), and apply the configuration changes described in "Setting up Client Authentication Between Servers and Agents" section of the "Configuring JON Servers and Agents" guide.