1 Reply Latest reply on Apr 30, 2011 5:10 AM by Wolf-Dieter Fink

    new to jboss - seeking help with 4.2.3

    charlie w Newbie

      hello JBOSS user forum

       

      My company recently purchased software that uses JBOSS (jboss-4.2.3.GA) as application server. A network scan found the following:

       

      Windows Server 2003 (Service Pack 2)

      Description:

      A vulnerability exists in JBoss Enterprise Application Platform(EAP) that may allow for sensitive information disclosure.

      Recommendation:

      Update JBoss Enterprise Application Platform to 4.2.0.CP3 or4.3.0.CP1

      Observation:

      JBoss Enterprise Application Platform (EAP) is a platform forrunning Java applications.

      The flaw lies in the status servlet in JBoss EAP. Successfulexploitation would allow remote attackers to obtain sensitive information

      via a request with a "full=true" query string.

      Common Vulnerabilities & Exposures (CVE) Link:

      CVE-2008-3273

      IAVA Reference Number

      IAVA-REF-NUMBER-NOMATCH

       

       

      1. what does GA and CP stand for?

      2. why is it recommended that i "update" to a seemingly older version?

       

      thanks in advance

        • 1. new to jboss - seeking help with 4.2.3
          Wolf-Dieter Fink Master

          Hi Charlie,

          you have found help , welcome to the community-forum.

           

          There are two different JBoss distributions

          1) the community with releases like 4.2.1, 4.2.2, 4.2.3 and so on for different releases.

          This version is open source without any professional support, you might get help here or not.

          New and experimental features might raise here earlier.

           

          2) The EAP (Enterprise Application Platform) version will count 4.2.0, 4.3.0 with a CP number (Cumulative Patch)

          This version is only available if you have a support contract with RedHat (or as evaluation version).

          The version have a more stable release and test cycle, you get updates for previous versions and, in case of bugs, a special patch for your version in production.

           

          Because of this a 4.2.0.GA_CP0x might be newer as the 4.2.3(community).

           

          I hope this will make it clear for you.