RHSA-2016:1519 - Security Advisory

Topic

Red Hat JBoss Operations Network 3.3 update 6, which fixes two security issues and several bugs, is now available from the Red Hat Customer Portal.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

[Updated August 25, 2016]
This advisory described the CVE-2016-3737 flaw in a way which implied
the issue was addressed via a code fix included in this erratum. However, the issue was actually addressed by updating the JON installation guide
to document configuration changes that need to be applied manually to
mitigate the issue. Refer to the Solution text below, and the Knowledgebase Article in the References section for further details.

Description

Red Hat JBoss Operations Network is a Middleware management solution that provides a single point of control to deploy, manage, and monitor JBoss Enterprise Middleware, applications, and services.

This JBoss Operations Network 3.3.6 release serves as a replacement for JBoss Operations Network 3.3.5, and includes several bug fixes. Refer to the Customer Portal page linked in the References section for information on the most significant of these changes.

The following security issues are also fixed with this release:

It was discovered that sending specially crafted HTTP request to the JON server would allow deserialization of that message without authentication. An attacker could use this flaw to cause remote code execution. (CVE-2016-3737)

It was discovered that sending requests containing large headers to the Web Console produced a Java OutOfMemoryError in the HTTP management interface. An attacker could use this flaw to cause a denial of service. (CVE-2015-5220)

A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker could potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN. (CVE-2016-0800)

All users of JBoss Operations Network 3.3.5, as provided from the Red Hat Customer Portal, are advised to upgrade to JBoss Operations Network 3.3.6.

Solution

The References section of this erratum contains a download link (you must
log in to download the update). Before applying this update, back up your
existing JBoss Operations Network installation (including its databases,
applications, configuration files, the JBoss Operations Network server's
file system directory, and so on).

Refer to the JBoss Operations Network 3.3.6 Release Notes for installation
information.

To mitigate CVE-2016-3737 you need to manually configure JON
to use SSL client authentication between servers and agents. Detailed
instructions can be found in the "Setting up Client Authentication
Between Servers and Agents" section of the "Configuring JON Servers and
Agents" guide linked to in the References section.

Affected Products

• Red Hat JBoss Middleware Text-Only Advisories for MIDDLEWARE 1 x86_64

Fixes

• BZ - 1184000 - Bundles missing from the left list / bundle navigation tree
• BZ - 1186300 - java.lang.IllegalArgumentException:Invalid column widths (more widths than columns) [58%, *] error thrown in JBoss ON UI
• BZ - 1205429 - Platform's file system resources are blacklisted and all other child resources take 5 minutes to discover if NFS mount exists to host that is blocking RPC port
• BZ - 1206485 - JON favicon is not used
• BZ - 1207232 - Search bar placed over the main menu on navigating to Dashboards
• BZ - 1211341 - Browser session timeouts on pages where autorefresh is enabled
• BZ - 1212495 - Solaris10-Error in server log after Generate JDR Report operation
• BZ - 1213812 - After upgrade from JBoss ON 3.2 to 3.3, some rhq column families are unavailable and compaction operations fail
• BZ - 1218129 - Calltime metrics sort does not work properly
• BZ - 1232836 - NoResultException in server.log when deploying from resource content for war type != File (Deployment:AS7)
• BZ - 1253647 - jboss-on-agent-init-ec2 requires old package
• BZ - 1255597 - CVE-2015-5220 OOME from EAP 6 http management console
• BZ - 1257741 - First attempt of saving SNMP alert configurations is failed if UDP transport protocol is used
• BZ - 1261890 - Metrics are not properly updated/refreshed in JON UI
• BZ - 1264001 - JON UI fails to load metrics with the message "Cannot load metrics" while plugin container is restarting
• BZ - 1266356 - Commons HttpClient can hang during SSLHandshake
• BZ - 1268329 - The same user is able to upload bundle via 'Upload' but not via 'URL'
• BZ - 1272358 - When creating a big bundle via UI the wizard shows errors if user clicks Next button multiple times
• BZ - 1272473 - Confusing error shown in UI wizard when creating big bundle on oracle and hitting ORA-01691: unable to extend lob segment
• BZ - 1288455 - The data aggregation job in JBoss ON stopped due to unreachable storage node
• BZ - 1290436 - Invalid properties PARTITION_EVENT_PURGE and RESOURCE_CONFIG_HISTORY_PURGE appear on system setting page and prevent config from being saved
• BZ - 1295863 - The number of resources in All Groups/Compatible Groups page is not correct all the time
• BZ - 1297702 - Deletion of partition events in JBoss ON results in OutOfMemoryError when there is a million or more partition events to be deleted
• BZ - 1298144 - Missing "Event Detection" option from the drop down list when trying to create an alert using alert template
• BZ - 1299448 - Storage node heap size cannot be changed using JBoss ON UI
• BZ - 1301575 - apply-updates.bat in jon-server-3.3-update-04.zip only works reliably in the USA
• BZ - 1302322 - Secure server-agent communication using sslsocket incorrectly requires a truststore password
• BZ - 1306231 - Method SystemManager.setSystemSettings(settings) does not propagate LDAP changes into the RHQ Server's JAAS login modules
• BZ - 1306602 - Uninventory of resource leaves orphaned content data in the database
• BZ - 1308947 - Group Operation sequential execution list limited to 50 members
• BZ - 1309481 - Remote API is missing ability to retrieve and revert historic plug-in and resource configuration
• BZ - 1310593 - CVE-2016-0800 SSL/TLS: Cross-protocol attack on TLS using SSLv2 (DROWN)
• BZ - 1311140 - EAP7 - missing rt filter modules for eap7
• BZ - 1312847 - Report "Suspect Metrics" is empty for user in "All Resources" role
• BZ - 1317993 - Application fails to deploy on EAP7 when the rt filter is installed
• BZ - 1320478 - NPE in server.log Error persisting trait data
• BZ - 1323325 - rhqctl status can report storage node as ?running or ?down if locale does not support extended character sets
• BZ - 1324828 - pretty.print(null) fails
• BZ - 1328316 - Required fields in map-property does not prevent finishing the Resource Create Wizard
• BZ - 1333618 - CVE-2016-3737 JON: The agent/server communication deserializes data, and does not require authentication
• BZ - 1339301 - REST fetch of groups doesn't scale

CVEs

• CVE-2015-5220
• CVE-2016-0800

References

• https://access.redhat.com/security/updates/classification/#critical
• https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em&downloadType=securityPatches&version=3.3
• https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Operations_Network/3.3/html/Admin_and_Config/JBoss_ON_and_SSL-Authentication.html
• https://access.redhat.com/articles/2570101