We setup PIM 12.8 SP1 Endpoint Management to manage remote endpoints. Nessus scan on the embedded JBoss showed these vulnerabilities: 1. The 'EBJInvokerServlet' and 'JMXInvokerServlet' servlets hosted on the web server on the remote host are accessible to unauthenticated users. The remote host is, therefore, affected by known vulnerabilities, namely CVE-2007-1036, CVE-2012-0874 and CVE-2013-4810.2. unauthenticated access to a status servlet, which is used to monitor sessions and requests sent to the server. This vulnerability (CVE-2008-3273) was fixed in versions 4.2.0.CP03 and 4.3.0.CP01, but was later re-introduced (CVE-2010-1429) by an unrelated bug fix. 3. unauthenticated access to certain documents under the '/web-console' directory. This is due to a misconfiguration in 'web.xml' that only requires authentication for GET and POST requests. Specifying a different command such as HEAD, DELETE or PUT causes the default GET handler to be used without authentication.
I just received confirmation from CA support that there is no patch to fix these vulnerabilities currently and upgrading to a later version of JBoss is not an option.
1. Has anyone in field managed to fix these vulnerabilities as old as ten years old? Please share your valuable experience.