0 Replies Latest reply on May 25, 2016 8:50 AM by Alagu AR

    Reg the CVE-2012-0874 and CVE-2016-2094

    Alagu AR Newbie

      Hi Experts,

       

      This is my first post in this forum, kindly excuse if this is a repetition or informerly framed.

       

      I have few clarifications regarding the following CVEs,

       

      1. https://access.redhat.com/security/cve/CVE-2012-0874 JBoss invoker servlets do not require authentication

      2. https://access.redhat.com/security/cve/CVE-2016-2094 EAP: HTTPS NIO connector uses no timeout when reading SSL handshake from client

       

      First CVE has been addressed as part of Jboss EAP 5.2.0 and second one as part of JBEAP 6.4.

       

      We are currently using Jboss Application Server 6.1.0 Final. We guess that the first CVE has no effect (since the CVE is raised against 5.2 version) on this version but still we need confirmation from you experts too.

       

      Reg second CVE we have a slight clarification whether it affects Jboss AS releases if so, is there any Jboss AS releases which has the fix for this CVE. If not kindly direct us with the application server release version to which we can upgrade so that these security vulnerability are no more an issue.

       

      Kindly help out with our clarification.

       

      Thanks,

      Alagu