Hi,

Our Application is deployed in Jboss 4.3. Recently we are getting the below Security Issues. We will not be able to upgrade the version of Jboss. Can you please suggest a possible fix for these identified vulnerabilities.

1. 1.       Product : JBoss AS 4.3.x Server response header : JBoss-4.3.0.GA_CP06 Support ended : 2011-01-01 (end of production phase) / 2013-01-01 (end of maintenance support) Extended support ended : 2016-06-01 Supported versions : JBoss 5.x / 6.x / 7.x / Wildfly (8.x) Additional information : https://access.redhat.com/site/support/policy/updates/jboss_notes/ Port: www (9080/tcp)

1. 2.       JBoss Enterprise Application Platform '/web-console' Authentication Bypass : The version of JBoss Enterprise Application Platform (EAP) running on the remote host allows unauthenticated access to certain documents under the '/web-console' directory. This is due to a misconfiguration in 'web.xml' that only requires authentication for GET and POST requests. Specifying a different command such as HEAD, DELETE or PUT causes the default GET handler to be used without authentication. A remote attacker can exploit this to obtain sensitive information without providing authentication. This version of JBoss EAP likely has other vulnerabilities, though Nessus has not checked for those issues.

Nessus retrieved http://toxtest03.usac.mmm.com:9200/web-console/ServerInfo.jsp using the following request : ------------------------------ snip ------------------------------ PUT /web-console/ServerInfo.jsp HTTP/1.1 Host: toxtest03.usac.mmm.com:9200 Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Connection: Close Content-Length: 0 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* ------------------------------ snip ------------------------------ Port: www (9200/tcp)

Regards,

Mohana