JBoss EAP < 4.2.0.CP09 / 4.3.0.CP08 Multiple Vulnerabilities
High Nessus Network Monitor Plugin ID 5521
SynopsisThe remote web server is vulnerable to multiple attack vectors.
DescriptionThe remote host is running JBoss Enterprise Application Platform (JBEAP) < 4.2.0.CP09 / 4.3.0.CP08. Such versions are potentially affected by multiple vulnerabilities.
- The JMX Console configuration only specified an authentication requirement for requests that used the GET and POST HTTP 'verbs'. A remote attacker could create an HTTP request that does not specify GET or POST, causing it to be executed by the default GET handler without authentication. (CVE-2010-0738)
- It is possible to bypass authentication for /web-console by specifying a HTTP method other than GET or POST. (CVE-2010-1428)
- An information disclosure vulnerability that allows attackers to acquired details about deployed web contexts. (CVE-2010-1429)
SolutionUpgrade to JBoss EAP version 4.2.0.CP09, 4.3.0.CP08, or later.