0 Replies Latest reply on Sep 18, 2002 8:51 PM by Julian Gosnell

    URGENT: JBoss 3.0.1/2 with Jetty - Security Exploit report &

    Julian Gosnell Expert


      A security hole has been found that allows JSP source to be viewed
      remotely.

      This problem is present in the Jetty versions packaged as JBossWeb in
      JBoss versions 3.0.1 and 3.0.2.

      JBoss/Tomcat users need take NO action.

      Two upgrade paths are available :

      EITHER:

      Upgrade to JBoss 3.2

      http://sourceforge.net/project/showfiles.php?group_id=22866

      OR:

      download Jetty-4.1.0RC5 or above from :

      http://sourceforge.net/project/showfiles.php?group_id=7322

      and replace the org.mortbay.jetty.jar and the org.mortbay.jmx.jars in
      your JBoss distrib's jbossweb.sar directories with the ones included
      in the lib/ directory of this package.


      Jules