Hello Experts, I have some questions regarding Cisco Fabric and Device manager applications

Problem description from customer:

During an internal penetration test within the company, JBOSS components running within Cisco Fabric and Device Manager were listed as potential security vulnerabilities.  The report stated that JBOSS needed to be upgraded to version 4.3.0 CP08 or later.  At that time, they were running version 5.04 for both Fabric Manager and Device Manager.  In an attempt to upgrade the JBOSS components, Customer upgraded these applications and switch firmware to version 5.0(4b).  This did upgrade JBOSS to version 4.2.2 .

Customer would like more information if there is in fact a security vulnerability within these applications and if so how to isolate or eliminate these vulnerabilities. I am not sure what penetration test tool was used and did not receive this information.