1 Reply Latest reply on Sep 20, 2010 3:11 AM by Hasham Khawaja

    JBoss EAP Status Servlet Request Remote Information Disclosure

    Hasham Khawaja Newbie

      Hi!

       

      I am using Jboss 4.2.2 GA and I have updated Jbossweb to Jbossweb 2.0.0.GA_CP14-brew from the following site:

      http://repository.jboss.org/jboss/web/

       

      I have run a security scan and it is showing a vulnerability "JBoss Enterprise Application Platform Status Servlet Request Remote Information Disclosure" and the CVE ID is CVE-2008-3273, CVE-2010-1429. I want to remove this vulnerability. So can anyone help me? Do I have updated the wrong version of Jbossweb? Or is there something else wrong?

       

      Thanks,

      Hasham.

        • 1. Re: JBoss EAP Status Servlet Request Remote Information Disclosure
          Hasham Khawaja Newbie

          Can anyone help me with this problem please?

           

          I am using Jboss 4.2.2 GA and JDK 1.5. Which, I think, uses Jbossweb 2.0.1. It have "JBoss Enterprise Application Platform Status Servlet Request Remote Information Disclosure" vulnerability ( CVE-2010-1429). It is mentioned in many places that it is fixed in "Jboss EAP 4.2.0.CP09". I haven't found any liknk to download this version.

           

          So, is there any patch for Jbossweb 2.0.1 in which this issue is fixed? Or is there any version of Jboss which support JDK 1.5 and does not have critical vulnerabilities? I just want to remove all vulnerabilities from my application. The version of Jboss will not matter as long as it support JDK 1.5.

           

          Thanks,

          Hasham.