The server in Red Hat JBoss Operations Network (JON), when SSL authentication is not configured for JON server / agent communication, allows remote attackers to execute arbitrary code via a crafted HTTP request, related to message deserialization. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-3737.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2016-6330 from the MITRE CVE dictionary dictionary and NIST NVD.
NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.
Base Score | 9 |
---|---|
Base Metrics | AV:N/AC:L/Au:N/C:P/I:P/A:C |
Access Vector | Network |
Access Complexity | Low |
Authentication | None |
Confidentiality Impact | Partial |
Integrity Impact | Partial |
Availability Impact | Complete |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Platform | Package | State |
---|---|---|
Red Hat JBoss Operations Network 3 | Core Server | Will not fix |
Apply the configuration changes described in the documentation here: https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Operations_Network/3.3/html/Admin_and_Config/JBoss_ON_and_SSL-Authentication.html
For more information, refer to https://access.redhat.com/articles/2570101.