0 Replies Latest reply on Jun 3, 2016 5:15 PM by sgibbs

    how to remove or secure status servlet for jboss 4.2.3GA


      Ran into some JBOSS security vulnerabilities. Most of these are addresses with the Usage Note 53977: Removing the JMX Console and the EJBInvokerServlet and JMXInvokerServlet applications from the JBoss application server (http://support.sas.com/kb/53/977.html)

      The one that is not addressed in this Note is The version of JBOSS Enterprise Application Platform (EAP) running on the remote host allows unauthenticated access to a status servlet, which is used to monitor sessions and requests sent to the server. The version of jboss is 4.2.3GA.

      Is there a way to secure or remove this servlet if it is not being used? It is being used with SAS 9.3 and the SAS software does not use the status servlet.

      Thank you!