-
1. Re: JBoss 4.2.2 AS Vulnerability to CVE-2008-2938
rafasanmartinez1 Aug 26, 2008 6:50 AM (in response to frabas1967)Hello,
I have been asked in regards to this vulnerability too.
I think that the vulnerability, actually has to do with the embedded JBossWeb server. JBoss 4.2.3 utilizes JBossWeb 2.0.1 GA.
http://wiki.jboss.org/wiki/VersionOfTomcatInJBossAS
You can see the version of JBossWeb utilized in the file "thirdparty-licenses.xml".
JBossWeb 2.0.1 is based on Apache 6.0.13.
The last stable version of JBossWeb is 2.1.0, but it is the one used by JBoss AS 5.0.x
JBossWeb 2.1.0 is based on Apache Tomcat 6.0.16.
That means that even if you wanted to substitute the JBossWeb jars in your JBoss by the jars of 2.1.0, hoping that it works, you would still be using a library based on Apache 6.0.16.
You may want to review your settings for URIEncoding and allowLinking, and try to convince to your security advisor that you are not affected, given that you have different values for these attributes than UTF-8 and true.
http://tomcat.apache.org/tomcat-6.0-doc/config/context.html
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html -
2. Re: JBoss 4.2.2 AS Vulnerability to CVE-2008-2938
frabas1967 Aug 26, 2008 9:45 AM (in response to frabas1967)Sounds good. I was already convinced the specific context needed to open the breech wasn't meet. Thanks for your answer.
-
3. Re: JBoss 4.2.2 AS Vulnerability to CVE-2008-2938
jfclere Aug 26, 2008 10:01 AM (in response to frabas1967)You can also check out http://anonsvn.jboss.org/repos/jbossweb/branches/JBOSSWEB_2_0_0_GA_CP/ and build JBossWEB then you need to copy the jbossweb jar files to replace your 4.2.2 version.
If you don't have URIEncoding="UTF-8" in the connector entries of server.xml you aren't at risk with CVE-2008-2938. -
4. Re: JBoss 4.2.2 AS Vulnerability to CVE-2008-2938
rafasanmartinez1 Aug 27, 2008 3:54 AM (in response to frabas1967)Thanks for your very quick answer, Jean!