0 Replies Latest reply on Jul 7, 2011 5:10 AM by william jin

    JBoss 4.2.2 AS Vulnerability to CVE-2009-0027

    william jin Newbie

      Hi there,

      my first post here.

       

      My security advisor ask me if JBoss AS 4.2.2 is vulnerable to CVE-2009-0027 as stated in http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0027

       

      -------------------------

      The request handler in JBossWS in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP06 and 4.3 before 4.3.0.CP04 does not properly validate the resource path during a request for a WSDL file with a custom web-service endpoint, which allows remote attackers to read arbitrary XML files via a crafted request.

      -------------------------

       

      I'm not using JBossWS in my application, so i think i'm safe from this vulnerability, is it right?

       

      Any hints on this?