3 Replies Latest reply on Jun 2, 2011 6:40 AM by jaikiran pai

    JBoss 5.1.0.GA still has CVE-2009-3555?

    Alex Michael Newbie

      We recently upgraded to JBoss 5.1.0.GA as it was indicated that the referenced CVE was resolved in this build.


      References to its fixing:

      https://access.redhat.com/kb/docs/DOC-20491 - (see halfway down where it states:  Updated openssl version for JBoss Enterprise Application Platform 5.0 was released in version 5.0.1 and is available for download from the Customer Support Portal)


      https://issues.jboss.org/browse/JBPAPP-5293?focusedCommentId=12596085&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel - (shows resolution of another issue because of "fix" of CVE-2009-3555 in JBoss 5.1.0.GA)



      And to show that we are running JBoss 5.1.0.GA:

      boot.log -

      16:24:49,687 INFO  [ServerImpl] Starting JBoss (Microcontainer)...

      16:24:49,718 INFO  [ServerImpl] Release ID: JBoss [The Oracle] 5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA date=200905221053)



      JBoss (Microcontainer) [5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA date=200905221053)] Started in 1m:4s:438ms



      But I am getting the following security issue flagged when HP WebInspect penetration scan is run against it:

      SSLv3/TLS Renegotiation Stream Injection (10942)



      Can someone indicate whether the base install of JBoss 5.1.0.GA has truly fixed this issue or whether I need to install a patch to full resolve this issue?  I have not implemented the fix in the second link shown above.  My security team is stating that I must not be running JBoss 5.1.0.GA (although I show them this proof and we downloaded that exact version from http://www.jboss.org/jbossas/downloads/).



      Any help is greatly appreciated!