The default JBoss install enables the jmx-console, and does not protect
it in any way, which can be used by an attacker to deploy their own
applications to your JBoss server, like:

Novell have a TID (#3024921) on securing JBoss / jmx-console, but it is
out of date (feedback already posted, so hopefully that will be corrected
soon). It plugs only the GET and POST holes, but there is a current
exploit targeting HEAD operations and it misses that entirely.

The document on security has been updated to tighten up
security and prevent this attack.


For UserApp / RBPM, you must go further. Search for all jboss-web.xml and
web.xml files, and make these changes to all of them, not just the ones
in the .../server/default directory structure.

David Gersic
Novell Knowledge Partner

Please post questions in the forums. No support provided via email.