JBPAPP-3952: A security issue in the JMX Console configuration has been identified that allows an attacker to bypass security authentication.

The JMX Console configuration only specified an authentication requirement for requests that used the GET and POST HTTP "verbs". An attacker could create a HTTP request that did not specify GET or POST and it would be executed by the default GET handler without authentication. This release contains a JMX Console with an updated configuration that no longer specifies the HTTP verbs. This means that the authentication requirement is applied to all requests.

For additional information on this vulnerability refer to: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0738

All users are advised to upgrade to this release to resolve this issue.

If an immediate upgrade is not possible or the server deployment has been customized then the fix can be applied by editing the deployment descriptor (WEB-INF/web.xml) of the JMX Console WAR. Details of how to apply this fix can be found at http://kbase.redhat.com/faq/docs/DOC-30741. Contact Red Hat JBoss Support for advice before making these changes.

Red Hat would like to thank Stefano di Paola and Giorgio Fedon of Minded Security for responsibly reporting the CVE-2010-0738 issue.