JBoss, as provided, is "developer friendly" which means that it is easy to start working with because it is wide open and has no security. Before releasing JBoss into production, you must take steps to secure it. In this light, it is good that the US-CERT report alerts companies to this fact.
By the way, the JEMS installer gives the option of securing the various consoles as part of the installation.
JBoss, as provided, is "developer friendly"
I agree. It's our job to prevent it from being "hacker friendly." Just figured this was worth a post here.