Manjesh h [
https://community.jboss.org/people/manjesh.h] created the discussion
"updating Jbossweb.jars to fix hash collision"
To view the discussion, visit:
https://community.jboss.org/message/735634#735634
--------------------------------------------------------------
Hi ,
I have a product built on Jboss 4.23.000. We found from an internal auditing team that
this version of Jboss’s web-container has a know vulnerability called “Hash Collision” .
The workaround available by setting a configuration parameter
Dorg.apache.tomcat.util.http.Parameters.MAX_COUNT is not application to Jboss 4.23.00
version .
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4858
I have seen that Jboss 7.x has a workaround fix for this issue.
1. Is it possible to upgrade only the web-container part of Jboss 423 to Jboss 7.x web
container so that the vulnerability get addressed?
If this is recommended, along with jbossweb.jar which are all other jars needs to be
copied to Jboss 4.23.00 ? because I notice in Jboss’s7 web module there are more number
of jars this time.
1. I have an alternate option to see the source code of Jboss 7.x ‘s jbosspiweb.jar to
check how does it handles the workaround (setting
.apache.tomcat.util.http.Parameters.MAX_COUNT)..then
Change the same code in Jboss 423’s jbossweb.src and rebuild locally to address this
security issue.
I know by doing this way solves only one security issue but not the rest fixed by Jboss
7.x
Please suggest me which option is better given a constraint that we cannot chose to
migrate to Jboss 7.x at this point of time.
-thanks
Manjesh
--------------------------------------------------------------
Reply to this message by going to Community
[
https://community.jboss.org/message/735634#735634]
Start a new discussion in Beginner's Corner at Community
[
https://community.jboss.org/choose-container!input.jspa?contentType=1&...]