CVE-2016-6330
First published: Mon Aug 22 2016(Updated: )
The fix for <a href="https://access.redhat.com/security/cve/CVE-2016-3737">CVE-2016-3737</a> in JON 3.3.6 was deemed to be incomplete. While we included a documentation fix in the installation guide which explained how to mitigate the issue, we provided misleading information in the security advisory for JON 3.3.6, that it was fixed by that update, which was not correct. To fix this issue, you need to configure SSL authentication for the JON Server/Agent communication. Please see the documentation for details on how to do that: <a href="https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Operations_Network/3.3/html/Admin_and_Config/JBoss_ON_and_SSL-Authentication.html">https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Operations_Network/3.3/html/Admin_and_Config/JBoss_ON_and_SSL-Authentication.html</a> It is not feasible to correct this issue with a code change as client SSL certificates need to be created in order to support client authentication. The Administration and Configuration guide notes how to mitigate this through the creation of certificates to support SSL authentication. This mitigation is the best way to correct this issue and, as a result, we will not be releasing any patches to correct the issue.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Redhat Jboss Operations Network | =3.0 | |
| Redhat Jboss Operations Network | =3.0.1 | |
| Redhat Jboss Operations Network | =3.1 | |
| Redhat Jboss Operations Network | =3.1.1 | |
| Redhat Jboss Operations Network | =3.1.2 | |
| Redhat Jboss Operations Network | =3.1.4 | |
| Redhat Jboss Operations Network | =3.2.0 | |
| Redhat Jboss Operations Network | =3.2.1 | |
| Redhat Jboss Operations Network | =3.2.2 | |
| Redhat Jboss Operations Network | =3.2.3 | |
| Redhat Jboss Operations Network | =3.3.1 | |
| Redhat Jboss Operations Network | =3.3.2 | |
| Redhat Jboss Operations Network | =3.3.3 | |
| Redhat Jboss Operations Network | =3.3.4 | |
| Redhat Jboss Operations Network | =3.3.5 | |
| Redhat Jboss Operations Network | =3.3.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/security/cve/CVE-2016-3737
- https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Operations_Network/3.3/html/Admin_and_Config/JBoss_ON_and_SSL-Authentication.html
- https://access.redhat.com/articles/2570101
- https://bugzilla.redhat.com/show_bug.cgi?id=1368864
- http://www.securityfocus.com/bid/92568
- https://www.tenable.com/security/research/tra-2016-22
- collector/nvd-index
- agent/weakness
- agent/tags
- agent/event
- agent/references
- agent/severity
- agent/author
- agent/description
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2016-6330
- vendor/redhat
- canonical/redhat jboss operations network
- version/redhat jboss operations network/3.0
- version/redhat jboss operations network/3.0.1
- version/redhat jboss operations network/3.1
- version/redhat jboss operations network/3.1.1
- version/redhat jboss operations network/3.1.2
- version/redhat jboss operations network/3.1.4
- version/redhat jboss operations network/3.2.0
- version/redhat jboss operations network/3.2.1
- version/redhat jboss operations network/3.2.2
- version/redhat jboss operations network/3.2.3
- version/redhat jboss operations network/3.3.1
- version/redhat jboss operations network/3.3.2
- version/redhat jboss operations network/3.3.3
- version/redhat jboss operations network/3.3.4
- version/redhat jboss operations network/3.3.5
- version/redhat jboss operations network/3.3.6