[jboss-dev] JBoss AS Security Vulnerability

Symantec discovered a flaw in the DeploymentFileRepository class of the JBoss Application Server. A remote attacker who is able to access the console manager could read or write to files with the permissions of the JBoss AS user. This could potentially lead to arbitrary code execution as the JBoss AS user. (CVE-2006-5750) Please note that the JBoss AS console manager should always be secured prior to deployment, as directed in the JBoss Application Server Guide. By default, the JBoss AS installer gives users the ability to password protect the console manager, limiting an attack using this vulnerability to authorised users. These steps can also be performed manually. http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureJBoss This vulnerability affects all JBoss AS releases from v3.2.4 to v.4.0.5 Please see this link for information on how to fix this vulnerability: http://jira.jboss.com/jira/browse/JBAS-3861