I have a product built on Jboss 4.23.000. We found from an internal auditing team that this version of Jboss’s web-container has a known vulnerability called “Hash Collision” .
The workaround available by setting a configuration parameter Dorg.apache.tomcat.util.http.Parameters.MAX_COUNT is not application to Jboss 4.23.00 version .
I have seen that Jboss 7.x has a workaround fix for this issue.
If this is recommended, along with jbossweb.jar which are all other jars needs to be copied to Jboss 4.23.00 ? because I notice in Jboss’s7 web module there are more number of jars this time.
Change the same code in Jboss 423’s jbossweb.src and rebuild locally to address this security issue.
I know by doing this way solves only one security issue but not the rest fixed by Jboss 7.x
Please suggest me which option is better given a constraint that we cannot chose to migrate to Jboss 7.x at this point of time.