Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.1835 Critical: Red Hat JBoss Operations Network 3.3.6 update 28 July 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat JBoss Operations Network Publisher: Red Hat Operating System: Red Hat Windows Solaris Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-3737 CVE-2016-0800 CVE-2015-5220 Reference: ASB-2016.0074 ESB-2016.0756 ESB-2016.0689 ESB-2015.2624 Original Bulletin: https://rhn.redhat.com/errata/RHSA-2016-1519.html Comment: An exploit for CVE-2016-3737 is publicly available. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat JBoss Operations Network 3.3.6 update Advisory ID: RHSA-2016:1519-01 Product: Red Hat JBoss Operations Network Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-1519.html Issue date: 2016-07-27 CVE Names: CVE-2015-5220 CVE-2016-0800 CVE-2016-3737 ===================================================================== 1. Summary: Red Hat JBoss Operations Network 3.3 update 6, which fixes two security issues and several bugs, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: Red Hat JBoss Operations Network is a Middleware management solution that provides a single point of control to deploy, manage, and monitor JBoss Enterprise Middleware, applications, and services. This JBoss Operations Network 3.3.6 release serves as a replacement for JBoss Operations Network 3.3.5, and includes several bug fixes. Refer to the Customer Portal page linked in the References section for information on the most significant of these changes. The following security issues are also fixed with this release: It was discovered that sending specially crafted HTTP request to the JON server would allow deserialization of that message without authentication. An attacker could use this flaw to cause remote code execution. (CVE-2016-3737) It was discovered that sending requests containing large headers to the Web Console produced a Java OutOfMemoryError in the HTTP management interface. An attacker could use this flaw to cause a denial of service. (CVE-2015-5220) A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker could potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN. (CVE-2016-0800) All users of JBoss Operations Network 3.3.5, as provided from the Red Hat Customer Portal, are advised to upgrade to JBoss Operations Network 3.3.6. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing JBoss Operations Network installation (including its databases, applications, configuration files, the JBoss Operations Network server's file system directory, and so on). Refer to the JBoss Operations Network 3.3.6 Release Notes for installation information. 4. Bugs fixed (https://bugzilla.redhat.com/): 1184000 - Bundles missing from the left list / bundle navigation tree 1186300 - java.lang.IllegalArgumentException:Invalid column widths (more widths than columns) [58%, *] error thrown in JBoss ON UI 1205429 - Platform's file system resources are blacklisted and all other child resources take 5 minutes to discover if NFS mount exists to host that is blocking RPC port 1206485 - JON favicon is not used 1207232 - Search bar placed over the main menu on navigating to Dashboards 1211341 - Browser session timeouts on pages where autorefresh is enabled 1212495 - Solaris10-Error in server log after Generate JDR Report operation 1213812 - After upgrade from JBoss ON 3.2 to 3.3, some rhq column families are unavailable and compaction operations fail 1218129 - Calltime metrics sort does not work properly 1232836 - NoResultException in server.log when deploying from resource content for war type != File (Deployment:AS7) 1253647 - jboss-on-agent-init-ec2 requires old package 1255597 - CVE-2015-5220 OOME from EAP 6 http management console 1257741 - First attempt of saving SNMP alert configurations is failed if UDP transport protocol is used 1261890 - Metrics are not properly updated/refreshed in JON UI 1264001 - JON UI fails to load metrics with the message "Cannot load metrics" while plugin container is restarting 1266356 - Commons HttpClient can hang during SSLHandshake 1268329 - The same user is able to upload bundle via 'Upload' but not via 'URL' 1272358 - When creating a big bundle via UI the wizard shows errors if user clicks Next button multiple times 1272473 - Confusing error shown in UI wizard when creating big bundle on oracle and hitting ORA-01691: unable to extend lob segment 1288455 - The data aggregation job in JBoss ON stopped due to unreachable storage node 1290436 - Invalid properties PARTITION_EVENT_PURGE and RESOURCE_CONFIG_HISTORY_PURGE appear on system setting page and prevent config from being saved 1295863 - The number of resources in All Groups/Compatible Groups page is not correct all the time 1297702 - Deletion of partition events in JBoss ON results in OutOfMemoryError when there is a million or more partition events to be deleted 1298144 - Missing "Event Detection" option from the drop down list when trying to create an alert using alert template 1299448 - Storage node heap size cannot be changed using JBoss ON UI 1301575 - apply-updates.bat in jon-server-3.3-update-04.zip only works reliably in the USA 1302322 - Secure server-agent communication using sslsocket incorrectly requires a truststore password 1306231 - Method SystemManager.setSystemSettings(settings) does not propagate LDAP changes into the RHQ Server's JAAS login modules 1306602 - Uninventory of resource leaves orphaned content data in the database 1308947 - Group Operation sequential execution list limited to 50 members 1309481 - Remote API is missing ability to retrieve and revert historic plug-in and resource configuration 1310593 - CVE-2016-0800 SSL/TLS: Cross-protocol attack on TLS using SSLv2 (DROWN) 1311140 - EAP7 - missing rt filter modules for eap7 1312847 - Report "Suspect Metrics" is empty for user in "All Resources" role 1317993 - Application fails to deploy on EAP7 when the rt filter is installed 1320478 - NPE in server.log Error persisting trait data 1323325 - rhqctl status can report storage node as ?running or ?down if locale does not support extended character sets 1324828 - pretty.print(null) fails 1328316 - Required fields in map-property does not prevent finishing the Resource Create Wizard 1333618 - CVE-2016-3737 JON: The agent/server communication deserializes data, and does not require authentication 1339301 - REST fetch of groups doesn't scale 5. References: https://access.redhat.com/security/cve/CVE-2015-5220 https://access.redhat.com/security/cve/CVE-2016-0800 https://access.redhat.com/security/cve/CVE-2016-3737 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em&downloadType=securityPatches&version=3.3 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFXmNN3XlSAg2UNWIIRAgTIAJ4l+jjDlbp3HJRkfP84ZKgSptPR4QCguAnn Dq9UQGPLwe2Pp2G8pyn28P4= =5qRr - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBV5lRHox+lLeg9Ub1AQhU2xAAiLJ0ytu/5cmEz273gEzSRgtOAndMw8p2 aXC01CHqnArzA+fXjLY59J8IxEEfCiKbS1/BhYMZ6vWHMXeyl9ymGde2LKJV8R68 JtFY8rnT1IPm1jUt+aF7Om8/Sw0yvdxsjDMfEHaXG0HNkRoWo8Q43+XHN9HEWysW Tt8s7ojCAJRTlPL5EQoKsmyLjz9X1c0OWsT5PBvBOvdYEqHjrpeDIwKGtQFtNL2G sOgtCU2pak+yBmr/mWus/ZAt+ZllLCSqADn7cXdBhSRSMhUpzzk+1Ofbdr5VizZc koX29vBs4s9d29Z6SbRE+R93zRbF0SB3do5C8lhQ5uUXPIDiqFw6HY9BTRjS7IHI R3XKoKVHa3MnZo14jE0e4lei9YdQiqcKbLCNTgr/K6cyG3MrJq8a6CT2OJlwVAd3 z5qUbXunj8+BsIK5duR6YameePka3ic1FWkgxSxVUH8ql3JhWHvu/91Ivm4Wc3uW wdsCo8Cfm4PBIuwGOWRtMEQFCDFEpSQqTZpW5sIVVdMYTzm9kInsp1FYx9GhdpHl yLIcPaD7PptTFAw8TmUIDFSUbpwcSlOZsz6VeAJTAVQW0gOlnlz9VRA0pwaR6Kte ffR82glQ/tPnZCzLUj/EV1BgoO7h+Ws7fEcCkRGivzjYiAvNllW/3KAzLIJ4dYM8 jlIv9EC/wQ8= =Ye4V -----END PGP SIGNATURE-----