- Issued:
- 2016-07-27
- Updated:
- 2016-07-27
RHSA-2016:1519 - Critical: Red Hat JBoss Operations Network 3.3.6 update
Synopsis
Critical: Red Hat JBoss Operations Network 3.3.6 update
Type/Severity
Security Advisory Critical
Topic
Red Hat JBoss Operations Network 3.3 update 6, which fixes two security issues and several bugs, is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
[Updated August 25, 2016] This advisory described the CVE-2016-3737 flaw in a way which implied the issue was addressed via a code fix included in this erratum. However, the issue was actually addressed by updating the JON installation guide to document configuration changes that need to be applied manually to mitigate the issue. Refer to the Solution text below, and the Knowledgebase Article in the References section for further details.
Description
Red Hat JBoss Operations Network is a Middleware management solution that provides a single point of control to deploy, manage, and monitor JBoss Enterprise Middleware, applications, and services.
This JBoss Operations Network 3.3.6 release serves as a replacement for JBoss Operations Network 3.3.5, and includes several bug fixes. Refer to the Customer Portal page linked in the References section for information on the most significant of these changes.
The following security issues are also fixed with this release:
It was discovered that sending specially crafted HTTP request to the JON server would allow deserialization of that message without authentication. An attacker could use this flaw to cause remote code execution. (CVE-2016-3737)
It was discovered that sending requests containing large headers to the Web Console produced a Java OutOfMemoryError in the HTTP management interface. An attacker could use this flaw to cause a denial of service. (CVE-2015-5220)
A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker could potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN. (CVE-2016-0800)
All users of JBoss Operations Network 3.3.5, as provided from the Red Hat Customer Portal, are advised to upgrade to JBoss Operations Network 3.3.6.
Solution
The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing JBoss Operations Network installation (including its databases, applications, configuration files, the JBoss Operations Network server's file system directory, and so on).
Refer to the JBoss Operations Network 3.3.6 Release Notes for installation information.
To mitigate CVE-2016-3737 you need to manually configure JON to use SSL client authentication between servers and agents. Detailed instructions can be found in the "Setting up Client Authentication Between Servers and Agents" section of the "Configuring JON Servers and Agents" guide linked to in the References section.
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat JBoss Middleware | Text-Only Advisories | x86_64 |
Fixes
- This content is not included.BZ - 1184000
- This content is not included.BZ - 1186300
- This content is not included.BZ - 1205429
- This content is not included.BZ - 1206485
- This content is not included.BZ - 1207232
- This content is not included.BZ - 1211341
- This content is not included.BZ - 1212495
- This content is not included.BZ - 1213812
- This content is not included.BZ - 1218129
- This content is not included.BZ - 1232836
- This content is not included.BZ - 1253647
- This content is not included.BZ - 1255597
- This content is not included.BZ - 1257741
- This content is not included.BZ - 1261890
- This content is not included.BZ - 1264001
- This content is not included.BZ - 1266356
- This content is not included.BZ - 1268329
- This content is not included.BZ - 1272358
- This content is not included.BZ - 1272473
- This content is not included.BZ - 1288455
- This content is not included.BZ - 1290436
- This content is not included.BZ - 1295863
- This content is not included.BZ - 1297702
- This content is not included.BZ - 1298144
- This content is not included.BZ - 1299448
- This content is not included.BZ - 1301575
- This content is not included.BZ - 1302322
- This content is not included.BZ - 1306231
- This content is not included.BZ - 1306602
- This content is not included.BZ - 1308947
- This content is not included.BZ - 1309481
- This content is not included.BZ - 1310593
- This content is not included.BZ - 1311140
- This content is not included.BZ - 1312847
- This content is not included.BZ - 1317993
- This content is not included.BZ - 1320478
- This content is not included.BZ - 1323325
- This content is not included.BZ - 1324828
- This content is not included.BZ - 1328316
- This content is not included.BZ - 1333618
- This content is not included.BZ - 1339301
CVEs
References
- https://access.redhat.com/security/updates/classification/#critical
- This content is not included.This content is not included.https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em&downloadType=securityPatches&version=3.3
- https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Operations_Network/3.3/html/Admin_and_Config/JBoss_ON_and_SSL-Authentication.html
- https://access.redhat.com/articles/2570101
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.