1 Reply Latest reply on Jun 20, 2005 10:29 AM by Scott Stark

    anyone know of a fix for this critical vulnerability?

    Adrian Wilford Newbie

      http://www.securityfocus.com/archive/1/402653/30/0/threaded

      I have seached the forums and JIRA, and i cant find any reference to this!

      Thanks,
      Adrian

        • 1. Re: anyone know of a fix for this critical vulnerability?
          Scott Stark Master

          If you read the security advisory, the fix is mentioned at the end. Edit the conf/jboss-service.xml and set the DownloadServerClasses attribute to false in the WebService mbean configuration:

          
          <mbean code="org.jboss.web.WebService"
          name="jboss:service=WebService">
           <attribute name="Port">8083</attribute>
           <!-- Should resources and non-EJB classes be downloadable -->
           <!-- old <attribute name="DownloadServerClasses">true</attribute> -->
           <!-- new --> <attribute name="DownloadServerClasses">false</attribute>
           <attribute name="Host">${jboss.bind.address}</attribute>
           <attribute name="BindAddress">${jboss.bind.address}</attribute>
          </mbean>