AnsweredAssumed Answered

How to fix JBoss vulnerabilities?

Question asked by munfai.yue.1 on May 23, 2017
Latest reply on May 24, 2017 by rehbr01
We setup PIM 12.8 SP1 Endpoint Management to manage remote endpoints.  Nessus scan on the embedded JBoss showed these vulnerabilities:  1.  The 'EBJInvokerServlet' and 'JMXInvokerServlet' servlets hosted on the web server on the remote host are accessible to unauthenticated users. The remote host is, therefore, affected by known vulnerabilities, namely CVE-2007-1036, CVE-2012-0874 and CVE-2013-4810.
2.  unauthenticated access to a status servlet, which is used to monitor sessions and requests sent to the server. This vulnerability (CVE-2008-3273) was fixed in versions 4.2.0.CP03 and 4.3.0.CP01, but was later re-introduced (CVE-2010-1429) by an unrelated bug fix.  3.  unauthenticated access to certain documents under the '/web-console' directory.  This is due to a misconfiguration in 'web.xml' that only requires authentication for GET and POST requests.  Specifying a different command such as HEAD, DELETE or PUT causes the default GET handler to be used without authentication.

I just received confirmation from CA support that there is no patch to fix these vulnerabilities currently and upgrading to a later version of JBoss is not an option.

Question:
1. Has anyone in field managed to fix these vulnerabilities as old as ten years old? Please share your valuable experience.

Outcomes