1 Reply Latest reply on Mar 15, 2012 1:33 PM by jfclere

    4.2.3 vulnerabilities using jbossweb 2.0.0.GA.CP15

    mrfixit440

      This is a 2-part question.  I'm currently running 4.2.3.GA with an updated jbossweb jar from 2.0.0.GA.CP15 tag.   I would like to know if my server is vulnerable with the latest security issues and what version of jbossweb I can get to help me.  Looking at https://community.jboss.org/wiki/VersionOfTomcatInJBossAS, I need to get the latest jbossweb 2.0.1 version which is 2.0.1.GA found here: http://anonsvn.jboss.org/repos/jbossweb/tags/.  Is this correct, as far as getting the latest version of jbossweb for 4.2.3.GA?

       

      In IAVM 2011-B-0148, multiple security vulnerabilities were addressed by tomcat and the fix is to update to the latest tomcat 6.0.35.  Seeing that jbossweb is forked from tomcat, how do I know if I'm vulnerable or not to these issues?  How do security vulnerabilities get addressed in jbossweb and isn't there a list that I can go to that shows this info?

       

      Thanks,

      Dan