Question: Does the following apply to User Application 3.5 also or has
this been already addressed?

JBoss Application Server Security Vulnerability Notice
This document (3024921) is provided subject to the disclaimer at the end
of this document.



environment

JBoss Application Server versions 4.0.1 SP1
JBoss Application Server versions 4.0.2 SP1
JBoss Application Server versions 4.0.3 SP1
JBoss Application Server versions 4.0.5
Novell Identity Manager UserApplication 3.0
Novell Identity Manager UserApplication 3.0.1 SP1

situation

Symantec discovered a flaw in the DeploymentFileRepository class of the
JBoss Application Server. A remote attacker who is able to access the
console manager could read or write to files with the permissions of the
JBoss AS user. This could potentially lead to arbitrary code execution
as the JBoss AS user. (CVE-2006-5750)

Please note that the JBoss AS console manager should always be secured
prior to deployment, as directed in the JBoss Application Server Guide.
By default, the JBoss AS installer gives users the ability to password
protect the console manager, limiting an attack using this vulnerability
to authorised users. These steps can also be performed manually.




Rob Rawson
Director: Identity Management Consulting Practice
Computer Integrated Services Company of New York
561 7th Avenue
13th Floor
New York, NY 10018
(212) 577-6033
(818) 377-6033 (FAX)
(914) 325-3674 (Mobile)
DirectorIDM4CIS (AIM)
Robert.Rawson (Skype)
rrawson@ciscony.com