This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.
The remote Red Hat host is missing a security update.
The version of JBoss Enterprise Application Platform 6.0.1 running on
the remote system is vulnerable to the following issues:
- A man-in-the-middle attack is possible when applications
running on JBoss Web use the COOKIE session tracking
method. The flaw is in the
method. By making use of this, an attacker could obtain
a user's jsessionid and hijack their session.
- If multiple applications used the same custom
authorization module class name, a local attacker could
deploy a malicious application authorization module that
would permit or deny user access. (CVE-2012-4572)
- XML encryption backwards compatibility attacks could
allow an attacker to force a server to use insecure
legacy cryptosystems. (CVE-2012-5575)
- A NULL pointer dereference flaw could allow a malicious
OCSP to crash applications performing OCSP verification.
- An OpenSSL leaks timing information issue exists that
could allow a remote attacker to retrieve plaintext
from the encrypted packets. (CVE-2013-0169)
- The JBoss Enterprise Application Platform administrator
password and the sucker password are stored in a world-
readable, auto-install XML file created by the GUI
- Tomcat incorrectly handles certain authentication
requests. A remote attacker could use this flaw to
inject a request that would get executed with a victim's
See also :
Upgrade the installed JBoss Enterprise Application Platform 6.0.1 to
6.1.0 or later.
Risk factor :
High / CVSS Base Score : 7.8
CVSS Temporal Score : 6.8
Public Exploit Available : false