I have been asked in regards to this vulnerability too.
I think that the vulnerability, actually has to do with the embedded JBossWeb server. JBoss 4.2.3 utilizes JBossWeb 2.0.1 GA.
You can see the version of JBossWeb utilized in the file "thirdparty-licenses.xml".
JBossWeb 2.0.1 is based on Apache 6.0.13.
The last stable version of JBossWeb is 2.1.0, but it is the one used by JBoss AS 5.0.x
JBossWeb 2.1.0 is based on Apache Tomcat 6.0.16.
That means that even if you wanted to substitute the JBossWeb jars in your JBoss by the jars of 2.1.0, hoping that it works, you would still be using a library based on Apache 6.0.16.
You may want to review your settings for URIEncoding and allowLinking, and try to convince to your security advisor that you are not affected, given that you have different values for these attributes than UTF-8 and true.
Sounds good. I was already convinced the specific context needed to open the breech wasn't meet. Thanks for your answer.
You can also check out http://anonsvn.jboss.org/repos/jbossweb/branches/JBOSSWEB_2_0_0_GA_CP/ and build JBossWEB then you need to copy the jbossweb jar files to replace your 4.2.2 version.
If you don't have URIEncoding="UTF-8" in the connector entries of server.xml you aren't at risk with CVE-2008-2938.
Thanks for your very quick answer, Jean!