Hi there,
my first post here.
My security advisor ask me if JBoss AS 4.2.2 is vulnerable to CVE-2009-0027 as stated in http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0027。
-------------------------
The request handler in JBossWS in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP06 and 4.3 before 4.3.0.CP04 does not properly validate the resource path during a request for a WSDL file with a custom web-service endpoint, which allows remote attackers to read arbitrary XML files via a crafted request.
-------------------------
I'm not using JBossWS in my application, so i think i'm safe from this vulnerability, is it right?
Any hints on this?