jboss AS web console is vulnerable to information disclosure. Unauthenticated access to the JBoss Application Server Web Console (/web-console) is blocked by default. However, it was found that this block was incomplete, and only blocked GET and POST HTTP verbs. A remote attacker could use this flaw to gain access to sensitive information. This release contains a Web Console with an updated configuration that now blocks all unauthenticated access to it by default.
marc.info/?l=bugtraq&m=132698550418872&w=2
secunia.com/advisories/39563
securitytracker.com/id?1023917
www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.3.0.cp08/html-single/Release_Notes/index.html
www.redhat.com/security/updates/classification/#critical
www.securityfocus.com/bid/39710
www.vupen.com/english/advisories/2010/0992
access.redhat.com/errata/RHSA-2010:0377
bugzilla.redhat.com/show_bug.cgi?id=585899
exchange.xforce.ibmcloud.com/vulnerabilities/58148
rhn.redhat.com/errata/RHSA-2010-0376.html
rhn.redhat.com/errata/RHSA-2010-0377.html
rhn.redhat.com/errata/RHSA-2010-0378.html
rhn.redhat.com/errata/RHSA-2010-0379.html