1 Reply Latest reply on Jun 2, 2014 11:27 AM by jfclere

CVE-2014-0075 and Jboss 4.2.3

arun168403 Jun 2, 2014 8:24 AM

Hi,

I using Jboss 4.2.3 as my application server.

Could anybody suggest, is my application server is vulnerable to CVE-2014-0075.

If yes, how can I resolve this threat?

please advise.

1. Re: CVE-2014-0075 and Jboss 4.2.3

jfclere Jun 2, 2014 11:27 AM (in response to arun168403)

A quick look shows that 4.2.3 uses jbossweb 2.0.1 which looks to be affected so you are affected...
You should get the sources of jbossweb-2.0.1 adjust the tomcat6 patch (http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java?r1=1564350&r2=1579262&pathrev=1579262&view=patch) build jbossweb.jar and replace the jbossweb.jar in your 4.2.3.

Probably you should move to a supported version if you are using it in production ;-)
Actions