JBoss 4.2.2 AS Vulnerability to CVE-2009-0027

ukin.tht Jul 7, 2011 5:10 AM

Hi there,

my first post here.

My security advisor ask me if JBoss AS 4.2.2 is vulnerable to CVE-2009-0027 as stated in http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0027。

-------------------------

The request handler in JBossWS in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP06 and 4.3 before 4.3.0.CP04 does not properly validate the resource path during a request for a WSDL file with a custom web-service endpoint, which allows remote attackers to read arbitrary XML files via a crafted request.

-------------------------

I'm not using JBossWS in my application, so i think i'm safe from this vulnerability, is it right?

Any hints on this?