Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

JBoss EAP < 4.2.0.CP09 / 4.3.0.CP08 Multiple Vulnerabilities

High

Synopsis

The remote web server is vulnerable to multiple attack vectors.

Description

The remote host is running JBoss Enterprise Application Platform (JBEAP) < 4.2.0.CP09 / 4.3.0.CP08. Such versions are potentially affected by multiple vulnerabilities.

- The JMX Console configuration only specified an authentication requirement for requests that used the GET and POST HTTP 'verbs'. A remote attacker could create an HTTP request that does not specify GET or POST, causing it to be executed by the default GET handler without authentication. (CVE-2010-0738)

- It is possible to bypass authentication for /web-console by specifying a HTTP method other than GET or POST. (CVE-2010-1428)

- An information disclosure vulnerability that allows attackers to acquired details about deployed web contexts. (CVE-2010-1429)

Solution

Upgrade to JBoss EAP version 4.2.0.CP09, 4.3.0.CP08, or later.