[jboss-user] [Tomcat, HTTPD, Servlets & JSP] - Re: JBoss 4.2.2 AS Vulnerability to CVE-2008-2938

rafasanmartinez@rota do-not-reply at jboss.com
Tue Aug 26 06:50:41 EDT 2008


I have been asked in regards to this vulnerability too.

I think that the vulnerability, actually has to do with the embedded JBossWeb server. JBoss 4.2.3 utilizes JBossWeb 2.0.1 GA.


You can see the version of JBossWeb utilized in the file "thirdparty-licenses.xml".

JBossWeb 2.0.1 is based on Apache 6.0.13. 

The last stable version of JBossWeb is 2.1.0, but it is the one used by JBoss AS 5.0.x
JBossWeb 2.1.0 is based on Apache Tomcat 6.0.16.

That means that even if you wanted to substitute the JBossWeb jars in your JBoss by the jars of 2.1.0, hoping that it works, you would still be using a library based on Apache 6.0.16.

You may want to review your settings for URIEncoding and allowLinking, and try to convince to your security advisor that you are not affected, given that you have different values for these attributes than UTF-8 and true.


View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4172529#4172529

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4172529

More information about the jboss-user mailing list