Hi Wolfgang, thanks for the quick reply.
Yes, I'm referring to JSR 160. From your answer I seem to confirm that from JBossAS 6 M3 onwards, this vulnerability is no longer an issue (please correct if wrong).
I used the CVE-2014-3518 vulnerability detection tool against JBossAS 6.1 and it flagged the vulnerability as present (see redhat.com, this provides jar for testing
CVE-2014-3518-SAFE.jar -- sorry requires login). Looking at tool implementation however, it looks like tool just checks to see if JMX remoting is enabled on the server. It does not check against version of JBoss... It *looks* like tool is really there to be used to check if JBoss 5.x is vulnerable to this not other versions. So the vulnerability alert from the tool looks like a false positive when running against JBossAS 6.1.... is this correct?
Again, thanks for your help on this,
It looks like the testing tool does not catch on exceptions when accessing the mail server.
In JBoss 6.0 I get an entry in the log "19:35:54,676 ERROR [org.jboss.resource.adapter.mail.inflow.MailActivation] Failed to execute folder check, spec=MailActivationSpec(mailServer=COMMENTED mail.messagingengine.com, ...".
This does not appear in version 5.
Btw. the directory structure and port changed from 6.1 onwards. When just calling the tool with
java -jar CVE-20-3518-SAFE.jar -H hostname
I get a message: [CVE-2014-3518] Could not make an RMI connection, skipping. Reason: Cannot connect to host at given port
When providing the port like:
java -jar CVE-2014-3518-SAFE.jar -H hostname -r 8080
the tool gets a timeout and shows '[CVE-2014-3518] Cache poisoning failed. Reason: addr is of illegal length.
I don't think it may be useful for JBoss 6 and higher.
What did you enter to get the "[CVE-2014-3518] MailService returned as expected, VULNERABLE" message?