Hello, I have been asked in regards to this vulnerability too. I think that the vulnerability, actually has to do with the embedded JBossWeb server. JBoss 4.2.3 utilizes JBossWeb 2.0.1 GA. http://wiki.jboss.org/wiki/VersionOfTomcatInJBossAS You can see the version of JBossWeb utilized in the file "thirdparty-licenses.xml". JBossWeb 2.0.1 is based on Apache 6.0.13. The last stable version of JBossWeb is 2.1.0, but it is the one used by JBoss AS 5.0.x JBossWeb 2.1.0 is based on Apache Tomcat 6.0.16. That means that even if you wanted to substitute the JBossWeb jars in your JBoss by the jars of 2.1.0, hoping that it works, you would still be using a library based on Apache 6.0.16. You may want to review your settings for URIEncoding and allowLinking, and try to convince to your security advisor that you are not affected, given that you have different values for these attributes than UTF-8 and true. http://tomcat.apache.org/tomcat-6.0-doc/config/context.html http://tomcat.apache.org/tomcat-6.0-doc/config/http.html View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4172529#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...