RHSA-2016:1519

Vulnerability from csaf_redhat - Published: 2016-07-27 15:28 - Updated: 2025-11-21 17:56
Summary
Red Hat Security Advisory: Red Hat JBoss Operations Network 3.3.6 update
Severity
Critical
Notes
Topic: Red Hat JBoss Operations Network 3.3 update 6, which fixes two security issues and several bugs, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [Updated August 25, 2016] This advisory described the CVE-2016-3737 flaw in a way which implied the issue was addressed via a code fix included in this erratum. However, the issue was actually addressed by updating the JON installation guide to document configuration changes that need to be applied manually to mitigate the issue. Refer to the Solution text below, and the Knowledgebase Article in the References section for further details.
Details: Red Hat JBoss Operations Network is a Middleware management solution that provides a single point of control to deploy, manage, and monitor JBoss Enterprise Middleware, applications, and services. This JBoss Operations Network 3.3.6 release serves as a replacement for JBoss Operations Network 3.3.5, and includes several bug fixes. Refer to the Customer Portal page linked in the References section for information on the most significant of these changes. The following security issues are also fixed with this release: It was discovered that sending specially crafted HTTP request to the JON server would allow deserialization of that message without authentication. An attacker could use this flaw to cause remote code execution. (CVE-2016-3737) It was discovered that sending requests containing large headers to the Web Console produced a Java OutOfMemoryError in the HTTP management interface. An attacker could use this flaw to cause a denial of service. (CVE-2015-5220) A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker could potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN. (CVE-2016-0800) All users of JBoss Operations Network 3.3.5, as provided from the Red Hat Customer Portal, are advised to upgrade to JBoss Operations Network 3.3.6.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
CVE-2015-5220

It was discovered that sending requests containing large headers to the Web Console produced a Java OutOfMemoryError in the HTTP management interface. An attacker could use this flaw to cause a denial of service.

7.8 ()
AV:N/AC:L/Au:N/C:N/I:N/A:C
CWE-770 - Allocation of Resources Without Limits or Throttling
Vendor Fix The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing JBoss Operations Network installation (including its databases, applications, configuration files, the JBoss Operations Network server's file system directory, and so on). Refer to the JBoss Operations Network 3.3.6 Release Notes for installation information. To mitigate CVE-2016-3737 you need to manually configure JON to use SSL client authentication between servers and agents. Detailed instructions can be found in the "Setting up Client Authentication Between Servers and Agents" section of the "Configuring JON Servers and Agents" guide linked to in the References section. https://access.redhat.com/errata/RHSA-2016:1519
CVE-2016-0800

A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker could potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN.

5.8 ()
AV:N/AC:M/Au:N/C:P/I:P/A:N
Vendor Fix The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing JBoss Operations Network installation (including its databases, applications, configuration files, the JBoss Operations Network server's file system directory, and so on). Refer to the JBoss Operations Network 3.3.6 Release Notes for installation information. To mitigate CVE-2016-3737 you need to manually configure JON to use SSL client authentication between servers and agents. Detailed instructions can be found in the "Setting up Client Authentication Between Servers and Agents" section of the "Configuring JON Servers and Agents" guide linked to in the References section. https://access.redhat.com/errata/RHSA-2016:1519
References
https://access.redhat.com/errata/RHSA-2016:1519 self
https://access.redhat.com/security/updates/classi… external
https://access.redhat.com/jbossnetwork/restricted… external
https://access.redhat.com/documentation/en-US/Red… external
https://access.redhat.com/articles/2570101 external
https://bugzilla.redhat.com/show_bug.cgi?id=1184000 external
https://bugzilla.redhat.com/show_bug.cgi?id=1186300 external
https://bugzilla.redhat.com/show_bug.cgi?id=1205429 external
https://bugzilla.redhat.com/show_bug.cgi?id=1206485 external
https://bugzilla.redhat.com/show_bug.cgi?id=1207232 external
https://bugzilla.redhat.com/show_bug.cgi?id=1211341 external
https://bugzilla.redhat.com/show_bug.cgi?id=1212495 external
https://bugzilla.redhat.com/show_bug.cgi?id=1213812 external
https://bugzilla.redhat.com/show_bug.cgi?id=1218129 external
https://bugzilla.redhat.com/show_bug.cgi?id=1232836 external
https://bugzilla.redhat.com/show_bug.cgi?id=1253647 external
https://bugzilla.redhat.com/show_bug.cgi?id=1255597 external
https://bugzilla.redhat.com/show_bug.cgi?id=1257741 external
https://bugzilla.redhat.com/show_bug.cgi?id=1261890 external
https://bugzilla.redhat.com/show_bug.cgi?id=1264001 external
https://bugzilla.redhat.com/show_bug.cgi?id=1266356 external
https://bugzilla.redhat.com/show_bug.cgi?id=1268329 external
https://bugzilla.redhat.com/show_bug.cgi?id=1272358 external
https://bugzilla.redhat.com/show_bug.cgi?id=1272473 external
https://bugzilla.redhat.com/show_bug.cgi?id=1288455 external
https://bugzilla.redhat.com/show_bug.cgi?id=1290436 external
https://bugzilla.redhat.com/show_bug.cgi?id=1295863 external
https://bugzilla.redhat.com/show_bug.cgi?id=1297702 external
https://bugzilla.redhat.com/show_bug.cgi?id=1298144 external
https://bugzilla.redhat.com/show_bug.cgi?id=1299448 external
https://bugzilla.redhat.com/show_bug.cgi?id=1301575 external
https://bugzilla.redhat.com/show_bug.cgi?id=1302322 external
https://bugzilla.redhat.com/show_bug.cgi?id=1306231 external
https://bugzilla.redhat.com/show_bug.cgi?id=1306602 external
https://bugzilla.redhat.com/show_bug.cgi?id=1308947 external
https://bugzilla.redhat.com/show_bug.cgi?id=1309481 external
https://bugzilla.redhat.com/show_bug.cgi?id=1310593 external
https://bugzilla.redhat.com/show_bug.cgi?id=1311140 external
https://bugzilla.redhat.com/show_bug.cgi?id=1312847 external
https://bugzilla.redhat.com/show_bug.cgi?id=1317993 external
https://bugzilla.redhat.com/show_bug.cgi?id=1320478 external
https://bugzilla.redhat.com/show_bug.cgi?id=1323325 external
https://bugzilla.redhat.com/show_bug.cgi?id=1324828 external
https://bugzilla.redhat.com/show_bug.cgi?id=1328316 external
https://bugzilla.redhat.com/show_bug.cgi?id=1333618 external
https://bugzilla.redhat.com/show_bug.cgi?id=1339301 external
https://security.access.redhat.com/data/csaf/v2/a… self
https://access.redhat.com/security/cve/CVE-2015-5220 self
https://bugzilla.redhat.com/show_bug.cgi?id=1255597 external
https://www.cve.org/CVERecord?id=CVE-2015-5220 external
https://nvd.nist.gov/vuln/detail/CVE-2015-5220 external
https://access.redhat.com/security/cve/CVE-2016-0800 self
https://bugzilla.redhat.com/show_bug.cgi?id=1310593 external
https://www.cve.org/CVERecord?id=CVE-2016-0800 external
https://nvd.nist.gov/vuln/detail/CVE-2016-0800 external
https://access.redhat.com/articles/2176731 external
https://www.drownattack.com/ external
https://www.openssl.org/news/secadv/20160301.txt external
Acknowledgments
Red Hat GSS Middleware Tea Aaron Ogburn
the OpenSSL project
Nimrod Aviram Sebastian Schinzel
To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Critical"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Red Hat JBoss Operations Network 3.3 update 6, which fixes two security issues and several bugs, is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\n[Updated August 25, 2016]\nThis advisory described the CVE-2016-3737 flaw in a way which implied\nthe issue was addressed via a code fix included in this erratum. However, the issue was actually addressed by updating the JON installation guide\nto document configuration changes that need to be applied manually to\nmitigate the issue. Refer to the Solution text below, and the Knowledgebase Article in the References section for further details.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss Operations Network is a Middleware management solution that provides a single point of control to deploy, manage, and monitor JBoss Enterprise Middleware, applications, and services.\n\nThis JBoss Operations Network 3.3.6 release serves as a replacement for JBoss Operations Network 3.3.5, and includes several bug fixes. Refer to the Customer Portal page linked in the References section for information on the most significant of these changes.\n\nThe following security issues are also fixed with this release:\n\nIt was discovered that sending specially crafted HTTP request to the JON server would allow deserialization of that message without authentication. An attacker could use this flaw to cause remote code execution. (CVE-2016-3737)\n\nIt was discovered that sending requests containing large headers to the Web Console produced a Java OutOfMemoryError in the HTTP management interface. An attacker could use this flaw to cause a denial of service. (CVE-2015-5220)\n\nA padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker could potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN. (CVE-2016-0800)\n\nAll users of JBoss Operations Network 3.3.5, as provided from the Red Hat Customer Portal, are advised to upgrade to JBoss Operations Network 3.3.6.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2016:1519",
        "url": "https://access.redhat.com/errata/RHSA-2016:1519"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#critical",
        "url": "https://access.redhat.com/security/updates/classification/#critical"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em\u0026downloadType=securityPatches\u0026version=3.3",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em\u0026downloadType=securityPatches\u0026version=3.3"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Operations_Network/3.3/html/Admin_and_Config/JBoss_ON_and_SSL-Authentication.html",
        "url": "https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Operations_Network/3.3/html/Admin_and_Config/JBoss_ON_and_SSL-Authentication.html"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/articles/2570101",
        "url": "https://access.redhat.com/articles/2570101"
      },
      {
        "category": "external",
        "summary": "1184000",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1184000"
      },
      {
        "category": "external",
        "summary": "1186300",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1186300"
      },
      {
        "category": "external",
        "summary": "1205429",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1205429"
      },
      {
        "category": "external",
        "summary": "1206485",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1206485"
      },
      {
        "category": "external",
        "summary": "1207232",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1207232"
      },
      {
        "category": "external",
        "summary": "1211341",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1211341"
      },
      {
        "category": "external",
        "summary": "1212495",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1212495"
      },
      {
        "category": "external",
        "summary": "1213812",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1213812"
      },
      {
        "category": "external",
        "summary": "1218129",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1218129"
      },
      {
        "category": "external",
        "summary": "1232836",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1232836"
      },
      {
        "category": "external",
        "summary": "1253647",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1253647"
      },
      {
        "category": "external",
        "summary": "1255597",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1255597"
      },
      {
        "category": "external",
        "summary": "1257741",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1257741"
      },
      {
        "category": "external",
        "summary": "1261890",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1261890"
      },
      {
        "category": "external",
        "summary": "1264001",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1264001"
      },
      {
        "category": "external",
        "summary": "1266356",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1266356"
      },
      {
        "category": "external",
        "summary": "1268329",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1268329"
      },
      {
        "category": "external",
        "summary": "1272358",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1272358"
      },
      {
        "category": "external",
        "summary": "1272473",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1272473"
      },
      {
        "category": "external",
        "summary": "1288455",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1288455"
      },
      {
        "category": "external",
        "summary": "1290436",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1290436"
      },
      {
        "category": "external",
        "summary": "1295863",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1295863"
      },
      {
        "category": "external",
        "summary": "1297702",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1297702"
      },
      {
        "category": "external",
        "summary": "1298144",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1298144"
      },
      {
        "category": "external",
        "summary": "1299448",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1299448"
      },
      {
        "category": "external",
        "summary": "1301575",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1301575"
      },
      {
        "category": "external",
        "summary": "1302322",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1302322"
      },
      {
        "category": "external",
        "summary": "1306231",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1306231"
      },
      {
        "category": "external",
        "summary": "1306602",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1306602"
      },
      {
        "category": "external",
        "summary": "1308947",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1308947"
      },
      {
        "category": "external",
        "summary": "1309481",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1309481"
      },
      {
        "category": "external",
        "summary": "1310593",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1310593"
      },
      {
        "category": "external",
        "summary": "1311140",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311140"
      },
      {
        "category": "external",
        "summary": "1312847",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1312847"
      },
      {
        "category": "external",
        "summary": "1317993",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1317993"
      },
      {
        "category": "external",
        "summary": "1320478",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1320478"
      },
      {
        "category": "external",
        "summary": "1323325",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1323325"
      },
      {
        "category": "external",
        "summary": "1324828",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1324828"
      },
      {
        "category": "external",
        "summary": "1328316",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1328316"
      },
      {
        "category": "external",
        "summary": "1333618",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1333618"
      },
      {
        "category": "external",
        "summary": "1339301",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1339301"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_1519.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss Operations Network 3.3.6 update",
    "tracking": {
      "current_release_date": "2025-11-21T17:56:56+00:00",
      "generator": {
        "date": "2025-11-21T17:56:56+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHSA-2016:1519",
      "initial_release_date": "2016-07-27T15:28:48+00:00",
      "revision_history": [
        {
          "date": "2016-07-27T15:28:48+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2019-02-20T12:38:29+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-21T17:56:56+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss Operations Network 3.3",
                "product": {
                  "name": "Red Hat JBoss Operations Network 3.3",
                  "product_id": "Red Hat JBoss Operations Network 3.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_operations_network:3.3"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Operations Network"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Aaron Ogburn"
          ],
          "organization": "Red Hat GSS Middleware Tea",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2015-5220",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2015-08-18T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1255597"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was discovered that sending requests containing large headers to the Web Console produced a Java OutOfMemoryError in the HTTP management interface. An attacker could use this flaw to cause a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "OOME from EAP 6 http management console",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Operations Network 3.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2015-5220"
        },
        {
          "category": "external",
          "summary": "RHBZ#1255597",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1255597"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2015-5220",
          "url": "https://www.cve.org/CVERecord?id=CVE-2015-5220"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-5220",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5220"
        }
      ],
      "release_date": "2015-10-15T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2016-07-27T15:28:48+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Operations Network installation (including its databases,\napplications, configuration files, the JBoss Operations Network server\u0027s\nfile system directory, and so on).\n\nRefer to the JBoss Operations Network 3.3.6 Release Notes for installation\ninformation.\n\nTo mitigate CVE-2016-3737 you need to manually configure JON\nto use SSL client authentication between servers and agents. Detailed\ninstructions can be found in the \"Setting up Client Authentication\nBetween Servers and Agents\" section of the \"Configuring JON Servers and\nAgents\" guide linked to in the References section.",
          "product_ids": [
            "Red Hat JBoss Operations Network 3.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2016:1519"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 7.8,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Operations Network 3.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "OOME from EAP 6 http management console"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "the OpenSSL project"
          ]
        },
        {
          "names": [
            "Nimrod Aviram",
            "Sebastian Schinzel"
          ],
          "summary": "Acknowledged by upstream."
        }
      ],
      "cve": "CVE-2016-0800",
      "discovery_date": "2016-02-22T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1310593"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker could potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "SSL/TLS: Cross-protocol attack on TLS using SSLv2 (DROWN)",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Operations Network 3.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2016-0800"
        },
        {
          "category": "external",
          "summary": "RHBZ#1310593",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1310593"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2016-0800",
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-0800"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-0800",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0800"
        },
        {
          "category": "external",
          "summary": "https://access.redhat.com/articles/2176731",
          "url": "https://access.redhat.com/articles/2176731"
        },
        {
          "category": "external",
          "summary": "https://www.drownattack.com/",
          "url": "https://www.drownattack.com/"
        },
        {
          "category": "external",
          "summary": "https://www.openssl.org/news/secadv/20160301.txt",
          "url": "https://www.openssl.org/news/secadv/20160301.txt"
        }
      ],
      "release_date": "2016-03-01T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2016-07-27T15:28:48+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Operations Network installation (including its databases,\napplications, configuration files, the JBoss Operations Network server\u0027s\nfile system directory, and so on).\n\nRefer to the JBoss Operations Network 3.3.6 Release Notes for installation\ninformation.\n\nTo mitigate CVE-2016-3737 you need to manually configure JON\nto use SSL client authentication between servers and agents. Detailed\ninstructions can be found in the \"Setting up Client Authentication\nBetween Servers and Agents\" section of the \"Configuring JON Servers and\nAgents\" guide linked to in the References section.",
          "product_ids": [
            "Red Hat JBoss Operations Network 3.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2016:1519"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Operations Network 3.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "SSL/TLS: Cross-protocol attack on TLS using SSLv2 (DROWN)"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.