1 Reply Latest reply on Sep 20, 2010 3:11 AM by hasham.khawaja

JBoss EAP Status Servlet Request Remote Information Disclosure

hasham.khawaja Sep 17, 2010 8:01 AM

Hi!

I am using Jboss 4.2.2 GA and I have updated Jbossweb to Jbossweb 2.0.0.GA_CP14-brew from the following site:

http://repository.jboss.org/jboss/web/

I have run a security scan and it is showing a vulnerability "JBoss Enterprise Application Platform Status Servlet Request Remote Information Disclosure" and the CVE ID is CVE-2008-3273, CVE-2010-1429. I want to remove this vulnerability. So can anyone help me? Do I have updated the wrong version of Jbossweb? Or is there something else wrong?

Thanks,

Hasham.

1. Re: JBoss EAP Status Servlet Request Remote Information Disclosure

hasham.khawaja Sep 20, 2010 3:11 AM (in response to hasham.khawaja)

Can anyone help me with this problem please?

I am using Jboss 4.2.2 GA and JDK 1.5. Which, I think, uses Jbossweb 2.0.1. It have "JBoss Enterprise Application Platform Status Servlet Request Remote Information Disclosure" vulnerability ( CVE-2010-1429). It is mentioned in many places that it is fixed in "Jboss EAP 4.2.0.CP09". I haven't found any liknk to download this version.

So, is there any patch for Jbossweb 2.0.1 in which this issue is fixed? Or is there any version of Jboss which support JDK 1.5 and does not have critical vulnerabilities? I just want to remove all vulnerabilities from my application. The version of Jboss will not matter as long as it support JDK 1.5.

Thanks,
Hasham.
Actions