Look in http://anonsvn.jboss.org/repos/jbossas/tags/JBoss_4_0_3_SP1/build/build-thirdparty.xml
So it uses the tomcat from http://repository.jboss.com/apache-tomcat/5.5.9jboss/src/
Looks a normal tc-5.5.9.
So look in http://tomcat.apache.org/security-5.html
Answer yes your are vulnerable.
Thank you for the response. I was hoping that the embedded Tomcat was not the full version, but was obviously wrong.
So, I presume, the only solution is to upgrade JBoss? Is there a patch available to apply to 4.0.3SP1?
Thank you again.