CVE-2016-6330

CRITICAL

Red Hat JBoss Operations Network (JON) - RCE

Title source: llm

Description

The server in Red Hat JBoss Operations Network (JON), when SSL authentication is not configured for JON server / agent communication, allows remote attackers to execute arbitrary code via a crafted HTTP request, related to message deserialization. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-3737.

References (3)

[Third Party Advisory] http://www.securityfocus.com/bid/92568

[Issue Tracking, Mitigation, Vendor Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=1368864

[Third Party Advisory] https://www.tenable.com/security/research/tra-2016-22

Scores

CVSS v3 9.8

EPSS 0.1300

EPSS Percentile 94.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status draft

Affected Products (16)

redhat/jboss_operations_network

... and 1 more

Timeline

Published Sep 27, 2016

Tracked Since Feb 18, 2026