1 Reply Latest reply on Apr 30, 2011 5:10 AM by wdfink

new to jboss - seeking help with 4.2.3

nwang Apr 29, 2011 7:45 PM

hello JBOSS user forum

My company recently purchased software that uses JBOSS (jboss-4.2.3.GA) as application server. A network scan found the following:

Windows Server 2003 (Service Pack 2)

Description:

A vulnerability exists in JBoss Enterprise Application Platform(EAP) that may allow for sensitive information disclosure.

Recommendation:

Update JBoss Enterprise Application Platform to 4.2.0.CP3 or4.3.0.CP1

Observation:

JBoss Enterprise Application Platform (EAP) is a platform forrunning Java applications.

The flaw lies in the status servlet in JBoss EAP. Successfulexploitation would allow remote attackers to obtain sensitive information

via a request with a "full=true" query string.

Common Vulnerabilities & Exposures (CVE) Link:

CVE-2008-3273

IAVA Reference Number

IAVA-REF-NUMBER-NOMATCH

1. what does GA and CP stand for?

2. why is it recommended that i "update" to a seemingly older version?

thanks in advance

1. new to jboss - seeking help with 4.2.3

wdfink Apr 30, 2011 5:10 AM (in response to nwang)

Hi Charlie,
you have found help , welcome to the community-forum.

There are two different JBoss distributions
1) the community with releases like 4.2.1, 4.2.2, 4.2.3 and so on for different releases.
This version is open source without any professional support, you might get help here or not.
New and experimental features might raise here earlier.

2) The EAP (Enterprise Application Platform) version will count 4.2.0, 4.3.0 with a CP number (Cumulative Patch)
This version is only available if you have a support contract with RedHat (or as evaluation version).
The version have a more stable release and test cycle, you get updates for previous versions and, in case of bugs, a special patch for your version in production.

Because of this a 4.2.0.GA_CP0x might be newer as the 4.2.3(community).

I hope this will make it clear for you.
Actions