We are currently running JBoss AS version 4.2.3 GA and now moving up to the latest one that is version 7.1.1 Final. One of the reasons (among others) why we are looking to upgrade is because there were a couple of security vulnerabilities found in the current version that we are running that we need to resolve for PCI compliance purposes.
The CVEs corresponding to these vulnerabilities are:
- CVE-2009-3555 - This seems to have been resolved in Enterprise Web Server version 1.0.1 as per this link - https://rhn.redhat.com/errata/RHSA-2010-0119.html
- CVE-2008-7270 - This seems to have been resolved in Enterprise Web Server version 1.0.2 as per this link - https://rhn.redhat.com/errata/RHSA-2011-0896.html
We understand that these links correspond to the Enterprise version of the JBoss Web Server and that the web server is no longer a standalone product any longer and has been merged with the application server. Knowing that, our assumption is that the fixes that were made in version 1.0.2 (and 1.0.1) of the Enterprise Web Server must be part of the latest community version of the Application Server as well.
We couldn't find any patches for these vulnerabilities for version 4.2.3 GA and looks like upgrading the server is the only option. And since we're upgrading, we are thinking of upgrading to the latest version (7.1.1 Final) altogether.
Can anyone please confirm if the assumption mentioned above is correct since we have been unable to find any information regarding that in our searches and attempts to find out from Red Hat support (since they do not keep any information about the community versions of JBoss)? Also, is it safe to assume that going to the latest and greatest version of JBoss is a good idea since it will be secure against most of the vulnerabilities and there will be more chances of finding patches for the latest version as compared to an older one for any new vulnerabilities that crop up?
Please let me know if any other information is required that would be helpful in answering this question. Thank you!
NOTE: For various reasons, we are at this moment not planning to go for the JBoss EAP 6. The Community AS satisfies all our needs and the EAP will be overkill at this point.