The server in Red Hat JBoss Operations Network (JON), when SSL authentication is not configured for JON server / agent communication, allows remote attackers to execute arbitrary code via a crafted HTTP request, related to message deserialization. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-3737.
2016-09-27T15:59:06.923
2025-04-12T10:46:40.837
Deferred
CVSSv3.0: 9.8 (CRITICAL)
AV:N/AC:L/Au:N/C:P/I:P/A:C
10.0
8.5
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | redhat | jboss_operations_network | 3.0 | Yes |
| Application | redhat | jboss_operations_network | 3.0.1 | Yes |
| Application | redhat | jboss_operations_network | 3.1 | Yes |
| Application | redhat | jboss_operations_network | 3.1.1 | Yes |
| Application | redhat | jboss_operations_network | 3.1.2 | Yes |
| Application | redhat | jboss_operations_network | 3.1.4 | Yes |
| Application | redhat | jboss_operations_network | 3.2.0 | Yes |
| Application | redhat | jboss_operations_network | 3.2.1 | Yes |
| Application | redhat | jboss_operations_network | 3.2.2 | Yes |
| Application | redhat | jboss_operations_network | 3.2.3 | Yes |
| Application | redhat | jboss_operations_network | 3.3.1 | Yes |
| Application | redhat | jboss_operations_network | 3.3.2 | Yes |
| Application | redhat | jboss_operations_network | 3.3.3 | Yes |
| Application | redhat | jboss_operations_network | 3.3.4 | Yes |
| Application | redhat | jboss_operations_network | 3.3.5 | Yes |
| Application | redhat | jboss_operations_network | 3.3.6 | Yes |