[jboss-user] [Security & JAAS/JBoss] - Vulnerability Scan in JBoss 2.2.3.GA

ramboid do-not-reply at jboss.com
Fri Aug 29 11:08:23 EDT 2008

How can I configure the version 2.2.3.GA to avoid a vulnerability with the status servlet without having to leave the open source version of JBoss? In a latest vulnerability scan of my company systems, the JBoss 2.2.3.GA was reproted with the following vulnerability:
TCP 8443 pcsync-https  5
Synopsis : The remote web server contains a servlet that is affected by an information disclosure vulnerability. Description : The version of JBoss Enterprise Application Platform (EAP) running on the remote host allows unauthenticated access to status servlet, which is used to monitor sessions and requests sent to the server. See also : https://bugzilla.redhat.com/show_bug.cgi ?id=457757 http://jira.jboss.com/jira/browse/JBPAPP -544 (login required) Solution: Upgrade to JBoss EAP version 4.2.0.CP03  / 4.3.0.CP01. Risk Factor: Medium  / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE : CVE-2008-3273 BID : 30540 [More] 

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4173366#4173366

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4173366

More information about the jboss-user mailing list