3 Replies Latest reply on Jun 2, 2011 6:40 AM by jaikiran

    JBoss 5.1.0.GA still has CVE-2009-3555?

    asmichael
    asmichael May 19, 2011 3:20 PM

      We recently upgraded to JBoss 5.1.0.GA as it was indicated that the referenced CVE was resolved in this build.

       

      References to its fixing:

      https://access.redhat.com/kb/docs/DOC-20491 - (see halfway down where it states:  Updated openssl version for JBoss Enterprise Application Platform 5.0 was released in version 5.0.1 and is available for download from the Customer Support Portal)

       

      https://issues.jboss.org/browse/JBPAPP-5293?focusedCommentId=12596085&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel - (shows resolution of another issue because of "fix" of CVE-2009-3555 in JBoss 5.1.0.GA)

       

       

      And to show that we are running JBoss 5.1.0.GA:

      boot.log -

      16:24:49,687 INFO  [ServerImpl] Starting JBoss (Microcontainer)...

      16:24:49,718 INFO  [ServerImpl] Release ID: JBoss [The Oracle] 5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA date=200905221053)

       

      server.log

      JBoss (Microcontainer) [5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA date=200905221053)] Started in 1m:4s:438ms

       

       

      But I am getting the following security issue flagged when HP WebInspect penetration scan is run against it:

      SSLv3/TLS Renegotiation Stream Injection (10942)

       

       

      Can someone indicate whether the base install of JBoss 5.1.0.GA has truly fixed this issue or whether I need to install a patch to full resolve this issue?  I have not implemented the fix in the second link shown above.  My security team is stating that I must not be running JBoss 5.1.0.GA (although I show them this proof and we downloaded that exact version from http://www.jboss.org/jbossas/downloads/).

       

       

      Any help is greatly appreciated!

      • 4406 Views
      • Tags:
        • 1. JBoss 5.1.0.GA still has CVE-2009-3555?
          jaikiran
          jaikiran May 19, 2011 10:59 PM (in response to asmichael)

          You are using the community edition of JBoss AS 5. All those fixes have been made to the enterprise (paid) version of JBoss EAP 5.x series and also in JBoss AS 6.x community edition series.

          1 of 1 people found this helpful
            • Actions
          • 2. Re: JBoss 5.1.0.GA still has CVE-2009-3555?
            asmichael
            asmichael Jun 1, 2011 5:51 PM (in response to jaikiran)

            That's a great help.  Is there a way to manually apply these fixes in the community edition of JBoss AS 5?  Where would I start?

              • Actions
            • 3. Re: JBoss 5.1.0.GA still has CVE-2009-3555?
              jaikiran
              jaikiran Jun 2, 2011 6:40 AM (in response to asmichael)

              I haven't tried it myself, so don't really know. For each of those fixes, you'll have to find what files changed from what (sub) project and then  apply those patches and rebuild the AS. Easier said than done, for something like this.

               

              Why not upgrade to latest community release and see if it has been fixed or maybe buy the EAP version (which will have these fixes).

                • Actions