Hi ,
I have a product built on Jboss 4.23.000. We found from an internal auditing team that this version of Jboss’s web-container has a known vulnerability called “Hash Collision” .
The workaround available by setting a configuration parameter Dorg.apache.tomcat.util.http.Parameters.MAX_COUNT is not application to Jboss 4.23.00 version .
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4858
I have seen that Jboss 7.x has a workaround fix for this issue.
If this is recommended, along with jbossweb.jar which are all other jars needs to be copied to Jboss 4.23.00 ? because I notice in Jboss’s7 web module there are more number of jars this time.
Change the same code in Jboss 423’s jbossweb.src and rebuild locally to address this security issue.
I know by doing this way solves only one security issue but not the rest fixed by Jboss 7.x
Please suggest me which option is better given a constraint that we cannot chose to migrate to Jboss 7.x at this point of time.
-thanks
Manjesh
Closing this thread. Please continue this discussion in your other thread here https://community.jboss.org/message/736120#736120