back to article Old JBoss vuln in the wild, needs patching

JBoss sysadmins need to get busy hardening their systems, with a rising number of attacks against the system, according to Imperva. The attacks are based on an exploit that was published back in October by Andrea Micalizzi. The exploit code gave remote attackers arbitrary code execution access to HP's PCM Plus and Application …


This topic is closed for new posts.

This used to be just sloppy configuration but not these days

In the past this sort of thing would be down to sloppy configuration by a sysadmin, ie leaving the management interfaces exposed to the world as there's no reason why everyone & his dog needs access to them, but then I've seen so many so called cloud providers doing this without the option to lock it down it's surprising these don't happen more often.

That said I've known one person over the years who wanted to expose MS sql server to the world because 'it was easier'


Old unsupported software has a security flaw? How surprising

(Disclaimer: I work for Red Hat)

The flaw isn't exploitable on the supported JBoss EAP releases since a second layer requires authentication. It isn't a flaw in AS 6 and 7, or EAP 6.

So in other words if you are running old unsupported versions of software and don't have security patches installed, then you might get affected by flaws from a year or two ago.

This topic is closed for new posts.


Biting the hand that feeds IT © 1998–2017