Ran into some JBOSS security vulnerabilities. Most of these are addresses with the Usage Note 53977: Removing the JMX Console and the EJBInvokerServlet and JMXInvokerServlet applications from the JBoss application server (http://support.sas.com/kb/53/977.html)
The one that is not addressed in this Note is The version of JBOSS Enterprise Application Platform (EAP) running on the remote host allows unauthenticated access to a status servlet, which is used to monitor sessions and requests sent to the server. The version of jboss is 4.2.3GA.
Is there a way to secure or remove this servlet if it is not being used? It is being used with SAS 9.3 and the SAS software does not use the status servlet.