4 Replies Latest reply on Jan 1, 2014 11:40 PM by arun168403

Security fixes for jboss4.2.3

arun168403 Dec 19, 2013 8:00 AM

I would like to upgrade my JbossWeb to latest one which suppports Jboss4.2.3 to fix the following security issues:

Could any body guide how this can be achived

1. Re: Security fixes for jboss4.2.3

jfclere Dec 19, 2013 9:25 AM (in response to arun168403)

CVE-2012-2733 is doesn't apply on jbossweb.
CVE-2012-5568 see https://issues.apache.org/bugzilla/show_bug.cgi?id=54263
CVE-2013-0169 that is a TLS issue and a JVM one according to the description (upgrade your JVM).

1 of 1 people found this helpful
Actions
2. Re: Security fixes for jboss4.2.3

arun168403 Dec 24, 2013 6:44 AM (in response to jfclere)

HI Jean-Frederic Clere,

Thanks for the responce.

Reg: CVE-2012-2733 - I see a comment on the link https://bugzilla.redhat.com/show_bug.cgi?id=873695 stating

Comment 1: "This issue affects the version of the tomcat6 package as shipped with JBoss Enterprise Web Server 1.0.2."
and this issue has been addressed in version JBoss Enterprise Web Server 2.0.0 (Comment 13 on the same link)

I believe Jboss4.2.3 using JbossWeb 2.0.1 GA. So, do you believe this CVE issue is no more in JbossWeb.

Could you guide me.
Actions
3. Re: Security fixes for jboss4.2.3

jfclere Dec 30, 2013 5:54 AM (in response to arun168403)

EWS contains a supported version of tomcat(s) (and httpd and a lot more).
AS4.2.3 doesn't use tomcat but JBossWeb which is a fork of tomcat and it isn't affected for CVE-2012-2733?
1 of 1 people found this helpful
Actions
4. Re: Security fixes for jboss4.2.3

arun168403 Jan 1, 2014 11:40 PM (in response to jfclere)

HI Jean-Frederic Clere

Thank you verymuch for the guide.
Actions