rhsa-2016_1519
Vulnerability from csaf_redhat
Published
2016-07-27 15:28
Modified
2024-11-22 09:24
Summary
Red Hat Security Advisory: Red Hat JBoss Operations Network 3.3.6 update

Notes

Topic
Red Hat JBoss Operations Network 3.3 update 6, which fixes two security issues and several bugs, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [Updated August 25, 2016] This advisory described the CVE-2016-3737 flaw in a way which implied the issue was addressed via a code fix included in this erratum. However, the issue was actually addressed by updating the JON installation guide to document configuration changes that need to be applied manually to mitigate the issue. Refer to the Solution text below, and the Knowledgebase Article in the References section for further details.
Details
Red Hat JBoss Operations Network is a Middleware management solution that provides a single point of control to deploy, manage, and monitor JBoss Enterprise Middleware, applications, and services. This JBoss Operations Network 3.3.6 release serves as a replacement for JBoss Operations Network 3.3.5, and includes several bug fixes. Refer to the Customer Portal page linked in the References section for information on the most significant of these changes. The following security issues are also fixed with this release: It was discovered that sending specially crafted HTTP request to the JON server would allow deserialization of that message without authentication. An attacker could use this flaw to cause remote code execution. (CVE-2016-3737) It was discovered that sending requests containing large headers to the Web Console produced a Java OutOfMemoryError in the HTTP management interface. An attacker could use this flaw to cause a denial of service. (CVE-2015-5220) A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker could potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN. (CVE-2016-0800) All users of JBoss Operations Network 3.3.5, as provided from the Red Hat Customer Portal, are advised to upgrade to JBoss Operations Network 3.3.6.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.


To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Critical"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Red Hat JBoss Operations Network 3.3 update 6, which fixes two security issues and several bugs, is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\n[Updated August 25, 2016]\nThis advisory described the CVE-2016-3737 flaw in a way which implied\nthe issue was addressed via a code fix included in this erratum. However, the issue was actually addressed by updating the JON installation guide\nto document configuration changes that need to be applied manually to\nmitigate the issue. Refer to the Solution text below, and the Knowledgebase Article in the References section for further details.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss Operations Network is a Middleware management solution that provides a single point of control to deploy, manage, and monitor JBoss Enterprise Middleware, applications, and services.\n\nThis JBoss Operations Network 3.3.6 release serves as a replacement for JBoss Operations Network 3.3.5, and includes several bug fixes. Refer to the Customer Portal page linked in the References section for information on the most significant of these changes.\n\nThe following security issues are also fixed with this release:\n\nIt was discovered that sending specially crafted HTTP request to the JON server would allow deserialization of that message without authentication. An attacker could use this flaw to cause remote code execution. (CVE-2016-3737)\n\nIt was discovered that sending requests containing large headers to the Web Console produced a Java OutOfMemoryError in the HTTP management interface. An attacker could use this flaw to cause a denial of service. (CVE-2015-5220)\n\nA padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker could potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN. (CVE-2016-0800)\n\nAll users of JBoss Operations Network 3.3.5, as provided from the Red Hat Customer Portal, are advised to upgrade to JBoss Operations Network 3.3.6.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2016:1519",
        "url": "https://access.redhat.com/errata/RHSA-2016:1519"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#critical",
        "url": "https://access.redhat.com/security/updates/classification/#critical"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em\u0026downloadType=securityPatches\u0026version=3.3",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em\u0026downloadType=securityPatches\u0026version=3.3"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Operations_Network/3.3/html/Admin_and_Config/JBoss_ON_and_SSL-Authentication.html",
        "url": "https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Operations_Network/3.3/html/Admin_and_Config/JBoss_ON_and_SSL-Authentication.html"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/articles/2570101",
        "url": "https://access.redhat.com/articles/2570101"
      },
      {
        "category": "external",
        "summary": "1184000",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1184000"
      },
      {
        "category": "external",
        "summary": "1186300",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1186300"
      },
      {
        "category": "external",
        "summary": "1205429",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1205429"
      },
      {
        "category": "external",
        "summary": "1206485",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1206485"
      },
      {
        "category": "external",
        "summary": "1207232",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1207232"
      },
      {
        "category": "external",
        "summary": "1211341",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1211341"
      },
      {
        "category": "external",
        "summary": "1212495",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1212495"
      },
      {
        "category": "external",
        "summary": "1213812",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1213812"
      },
      {
        "category": "external",
        "summary": "1218129",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1218129"
      },
      {
        "category": "external",
        "summary": "1232836",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1232836"
      },
      {
        "category": "external",
        "summary": "1253647",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1253647"
      },
      {
        "category": "external",
        "summary": "1255597",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1255597"
      },
      {
        "category": "external",
        "summary": "1257741",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1257741"
      },
      {
        "category": "external",
        "summary": "1261890",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1261890"
      },
      {
        "category": "external",
        "summary": "1264001",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1264001"
      },
      {
        "category": "external",
        "summary": "1266356",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1266356"
      },
      {
        "category": "external",
        "summary": "1268329",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1268329"
      },
      {
        "category": "external",
        "summary": "1272358",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1272358"
      },
      {
        "category": "external",
        "summary": "1272473",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1272473"
      },
      {
        "category": "external",
        "summary": "1288455",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1288455"
      },
      {
        "category": "external",
        "summary": "1290436",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1290436"
      },
      {
        "category": "external",
        "summary": "1295863",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1295863"
      },
      {
        "category": "external",
        "summary": "1297702",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1297702"
      },
      {
        "category": "external",
        "summary": "1298144",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1298144"
      },
      {
        "category": "external",
        "summary": "1299448",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1299448"
      },
      {
        "category": "external",
        "summary": "1301575",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1301575"
      },
      {
        "category": "external",
        "summary": "1302322",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1302322"
      },
      {
        "category": "external",
        "summary": "1306231",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1306231"
      },
      {
        "category": "external",
        "summary": "1306602",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1306602"
      },
      {
        "category": "external",
        "summary": "1308947",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1308947"
      },
      {
        "category": "external",
        "summary": "1309481",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1309481"
      },
      {
        "category": "external",
        "summary": "1310593",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1310593"
      },
      {
        "category": "external",
        "summary": "1311140",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311140"
      },
      {
        "category": "external",
        "summary": "1312847",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1312847"
      },
      {
        "category": "external",
        "summary": "1317993",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1317993"
      },
      {
        "category": "external",
        "summary": "1320478",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1320478"
      },
      {
        "category": "external",
        "summary": "1323325",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1323325"
      },
      {
        "category": "external",
        "summary": "1324828",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1324828"
      },
      {
        "category": "external",
        "summary": "1328316",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1328316"
      },
      {
        "category": "external",
        "summary": "1333618",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1333618"
      },
      {
        "category": "external",
        "summary": "1339301",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1339301"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_1519.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss Operations Network 3.3.6 update",
    "tracking": {
      "current_release_date": "2024-11-22T09:24:42+00:00",
      "generator": {
        "date": "2024-11-22T09:24:42+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2016:1519",
      "initial_release_date": "2016-07-27T15:28:48+00:00",
      "revision_history": [
        {
          "date": "2016-07-27T15:28:48+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2019-02-20T12:38:29+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T09:24:42+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss Operations Network 3.3",
                "product": {
                  "name": "Red Hat JBoss Operations Network 3.3",
                  "product_id": "Red Hat JBoss Operations Network 3.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_operations_network:3.3"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Operations Network"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Aaron Ogburn"
          ],
          "organization": "Red Hat GSS Middleware Tea",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2015-5220",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2015-08-18T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1255597"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was discovered that sending requests containing large headers to the Web Console produced a Java OutOfMemoryError in the HTTP management interface. An attacker could use this flaw to cause a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "OOME from EAP 6 http management console",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Operations Network 3.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2015-5220"
        },
        {
          "category": "external",
          "summary": "RHBZ#1255597",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1255597"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2015-5220",
          "url": "https://www.cve.org/CVERecord?id=CVE-2015-5220"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-5220",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5220"
        }
      ],
      "release_date": "2015-10-15T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2016-07-27T15:28:48+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Operations Network installation (including its databases,\napplications, configuration files, the JBoss Operations Network server\u0027s\nfile system directory, and so on).\n\nRefer to the JBoss Operations Network 3.3.6 Release Notes for installation\ninformation.\n\nTo mitigate CVE-2016-3737 you need to manually configure JON\nto use SSL client authentication between servers and agents. Detailed\ninstructions can be found in the \"Setting up Client Authentication\nBetween Servers and Agents\" section of the \"Configuring JON Servers and\nAgents\" guide linked to in the References section.",
          "product_ids": [
            "Red Hat JBoss Operations Network 3.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2016:1519"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 7.8,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Operations Network 3.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "OOME from EAP 6 http management console"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "the OpenSSL project"
          ]
        },
        {
          "names": [
            "Nimrod Aviram",
            "Sebastian Schinzel"
          ],
          "summary": "Acknowledged by upstream."
        }
      ],
      "cve": "CVE-2016-0800",
      "discovery_date": "2016-02-22T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1310593"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker could potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "SSL/TLS: Cross-protocol attack on TLS using SSLv2 (DROWN)",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Operations Network 3.3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2016-0800"
        },
        {
          "category": "external",
          "summary": "RHBZ#1310593",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1310593"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2016-0800",
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-0800"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-0800",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0800"
        },
        {
          "category": "external",
          "summary": "https://access.redhat.com/articles/2176731",
          "url": "https://access.redhat.com/articles/2176731"
        },
        {
          "category": "external",
          "summary": "https://www.drownattack.com/",
          "url": "https://www.drownattack.com/"
        },
        {
          "category": "external",
          "summary": "https://www.openssl.org/news/secadv/20160301.txt",
          "url": "https://www.openssl.org/news/secadv/20160301.txt"
        }
      ],
      "release_date": "2016-03-01T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2016-07-27T15:28:48+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying this update, back up your\nexisting JBoss Operations Network installation (including its databases,\napplications, configuration files, the JBoss Operations Network server\u0027s\nfile system directory, and so on).\n\nRefer to the JBoss Operations Network 3.3.6 Release Notes for installation\ninformation.\n\nTo mitigate CVE-2016-3737 you need to manually configure JON\nto use SSL client authentication between servers and agents. Detailed\ninstructions can be found in the \"Setting up Client Authentication\nBetween Servers and Agents\" section of the \"Configuring JON Servers and\nAgents\" guide linked to in the References section.",
          "product_ids": [
            "Red Hat JBoss Operations Network 3.3"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2016:1519"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Operations Network 3.3"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "SSL/TLS: Cross-protocol attack on TLS using SSLv2 (DROWN)"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.