0 Replies Latest reply on Aug 29, 2008 11:08 AM by Carlos Oliva

    Vulnerability Scan in JBoss 2.2.3.GA

    Carlos Oliva Novice

      How can I configure the version 2.2.3.GA to avoid a vulnerability with the status servlet without having to leave the open source version of JBoss? In a latest vulnerability scan of my company systems, the JBoss 2.2.3.GA was reproted with the following vulnerability:

      TCP 8443 pcsync-https 5
      Synopsis : The remote web server contains a servlet that is affected by an information disclosure vulnerability. Description : The version of JBoss Enterprise Application Platform (EAP) running on the remote host allows unauthenticated access to status servlet, which is used to monitor sessions and requests sent to the server. See also : https://bugzilla.redhat.com/show_bug.cgi ?id=457757 http://jira.jboss.com/jira/browse/JBPAPP -544 (login required) Solution: Upgrade to JBoss EAP version 4.2.0.CP03 / 4.3.0.CP01. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE : CVE-2008-3273 BID : 30540 [More]