JBoss vulnerability closed
According to a report from Red Hat, a vulnerability in JBoss Web Services (WS) in the JBoss Enterprise Application Platform (EAP) that could allow access to confidential data, has now been closed. The problem was caused by a request handler that did not properly validate the resource path during a request for a WSDL file. The flaw allowed a remote attacker to read arbitrary XML views via a specially crafted request.
Affected versions include JBoss EAP before 4.2.0CP06 and 4.3.0.CP4. Updated packages have been provided by Red Hat to fix the vulnerability. Red Hat is warning users to backup the JBoss EAP
server/[configuration]/deploy/ directory and any other customised configuration files, before applying the update.
- Moderate: JBoss Enterprise Application Platform 4.2.0CP06 update, an advisory from Red Hat.