JMX-console is vulnerable to information disclosure. The JMX Console configuration only specified an authentication requirement for requests that used the GET and POST HTTP “verbs”. A remote attacker could create an HTTP request that does not specify GET or POST, causing it to be executed by the default GET handler without authentication. This release contains a JMX Console with an updated configuration that no longer specifies the HTTP verbs. This means that the authentication requirement is applied to all requests.
marc.info/?l=bugtraq&m=132129312609324&w=2
public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=35
secunia.com/advisories/39563
securityreason.com/securityalert/8408
securitytracker.com/id?1023918
www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.3.0.cp08/html-single/Release_Notes/index.html
www.redhat.com/security/updates/classification/#critical
www.securityfocus.com/bid/39710
www.vupen.com/english/advisories/2010/0992
access.redhat.com/errata/RHSA-2010:0376
access.redhat.com/errata/RHSA-2010:0377
access.redhat.com/errata/RHSA-2010:0378
access.redhat.com/errata/RHSA-2010:0379
access.redhat.com/kb/docs/DOC-30741
access.redhat.com/security/cve/CVE-2010-0738
bugzilla.redhat.com/show_bug.cgi?id=574105
exchange.xforce.ibmcloud.com/vulnerabilities/58147
rhn.redhat.com/errata/RHSA-2010-0376.html
rhn.redhat.com/errata/RHSA-2010-0377.html
rhn.redhat.com/errata/RHSA-2010-0378.html
rhn.redhat.com/errata/RHSA-2010-0379.html