---------------------------------------------------------------------- Proof-of-Concept (PoC) and Extended Analysis available for customers. Get a free trial, contact sales@secunia.com ---------------------------------------------------------------------- TITLE: Red Hat JBoss Enterprise Application Platform Three Security Issues SECUNIA ADVISORY ID: SA39563 VERIFY ADVISORY: http://secunia.com/advisories/39563/ DESCRIPTION: Three security issues have been reported in Red Hat JBoss Enterprise Application Platform, which can be exploited by malicious people to bypass certain security restrictions or disclose sensitive information. 1) Access to the JMX Console is not properly restricted, which can be exploited to bypass authentication via an HTTP request that does not specify GET or POST. 2) Access to the JBoss Application Server Web Console (/web-console) is not properly restricted, which can be exploited to disclose sensitive information via an HTTP request that does not specify GET or POST. 3) The status servlet can be accessed without authentication, which can be exploited to disclose details about deployed web contexts. SOLUTION: Updated packages are available via Red Hat Network. http://rhn.redhat.com PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Stefano Di Paola and Giorgio Fedon of Minded Security. 2, 3) Reported by the vendor. ORIGINAL ADVISORY: https://rhn.redhat.com/errata/RHSA-2010-0376.html https://rhn.redhat.com/errata/RHSA-2010-0377.html https://rhn.redhat.com/errata/RHSA-2010-0378.html https://rhn.redhat.com/errata/RHSA-2010-0379.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------