[jboss-user] [Tomcat, HTTPD, Servlets & JSP] - Re: JBoss 4.2.2 AS Vulnerability to CVE-2008-2938
rafasanmartinez@rota
do-not-reply at jboss.com
Tue Aug 26 06:50:41 EDT 2008
Hello,
I have been asked in regards to this vulnerability too.
I think that the vulnerability, actually has to do with the embedded JBossWeb server. JBoss 4.2.3 utilizes JBossWeb 2.0.1 GA.
http://wiki.jboss.org/wiki/VersionOfTomcatInJBossAS
You can see the version of JBossWeb utilized in the file "thirdparty-licenses.xml".
JBossWeb 2.0.1 is based on Apache 6.0.13.
The last stable version of JBossWeb is 2.1.0, but it is the one used by JBoss AS 5.0.x
JBossWeb 2.1.0 is based on Apache Tomcat 6.0.16.
That means that even if you wanted to substitute the JBossWeb jars in your JBoss by the jars of 2.1.0, hoping that it works, you would still be using a library based on Apache 6.0.16.
You may want to review your settings for URIEncoding and allowLinking, and try to convince to your security advisor that you are not affected, given that you have different values for these attributes than UTF-8 and true.
http://tomcat.apache.org/tomcat-6.0-doc/config/context.html
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4172529#4172529
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4172529
More information about the jboss-user
mailing list