4.2.3 vulnerabilities using jbossweb 2.0.0.GA.CP15

mrfixit440 Mar 12, 2012 1:36 PM

This is a 2-part question. I'm currently running 4.2.3.GA with an updated jbossweb jar from 2.0.0.GA.CP15 tag. I would like to know if my server is vulnerable with the latest security issues and what version of jbossweb I can get to help me. Looking at https://community.jboss.org/wiki/VersionOfTomcatInJBossAS, I need to get the latest jbossweb 2.0.1 version which is 2.0.1.GA found here: http://anonsvn.jboss.org/repos/jbossweb/tags/. Is this correct, as far as getting the latest version of jbossweb for 4.2.3.GA?

In IAVM 2011-B-0148, multiple security vulnerabilities were addressed by tomcat and the fix is to update to the latest tomcat 6.0.35. Seeing that jbossweb is forked from tomcat, how do I know if I'm vulnerable or not to these issues? How do security vulnerabilities get addressed in jbossweb and isn't there a list that I can go to that shows this info?

Thanks,

Dan

1. Re: 4.2.3 vulnerabilities using jbossweb 2.0.0.GA.CP15

jfclere Mar 15, 2012 1:33 PM (in response to mrfixit440)

There is a http://anonsvn.jboss.org/repos/jbossweb/tags/JBOSSWEB_2_0_0_GA_CP16/ so you are probably vulnerable to some CVE.
What is IAVM 2011-B-0148?
Actions