2

In my organization I found servers running JBoss Web/7.0.13.Final and JBoss Web/7.0.12.Final.

I could not find security vulnerabilities for this server's versions, but they seem old to me.

How can I find JBoss Web security vulnerabilities (CVEs, etc.)? I understood that JBoss Web is based on Apache and Tomcat. Does JBoss Web version x.y.z has the same vulnerabilities as Tomcat x.y.z?

Notice that this is not the common general question about finding CVEs for some products, but specifically about JBoss Web. If one can find the CPE for JBoss Web vulnerabilities, or to give a reference to JBoss Web vulnerability - it will help. I could not find such vulnerabilities in NIST and all the classical resources.

Gari BN
  • 485
  • 1
  • 6
  • 14
  • No, JBoss Web version is different from that of Tomcat. You should check what version of Apache (web server) and Tomcat it contains. – Aulis Ronkainen Jun 13 '18 at 18:23
  • Also, Although _some_ versions of JBoss contain Tomcat, JBoss contains other code that Tomcat does not. Also, JBoss is pure Java code, and does not contain any Apache httpd code in it. The confusion may be because you're confusing the Apache Software foundation with the Apache Httpd server. – Steve Sether Jun 13 '18 at 18:32

1 Answers1

0

You can check your applicationss vulnerabilities here (for example): cvedetails

or in the NIST's VDB

If you found some vulns, then you can test with some penetration testing tools. Most of time you can easily find an (if it exist) exploit for vulnerability in MetaSploit Database or in Google.

And for other question: (RedHat)JBoss Web and (Apache)Tomcat doesn't same thing.

Both JBoss and Tomcat are Java servlet application servers, but JBoss is a whole lot more. The substantial difference between the two is that JBoss provides a full Java Enterprise Edition (JEE) stack, including Enterprise JavaBeans and many other technologies that are useful for developers working on enterprise Java applications. Tomcat is much more limited. One way to think of it is that JBoss is a JEE stack that includes a servlet container and web server, whereas Tomcat, for the most part, is a servlet container and web server.

You can read more here

So no, both of them has different vulnerabilities.

More related information: Most of time the vendors of software (if they notice vulns) will announce the issue after fix-patch release. If you working with mostly JBoss, then you should subscribe to RedHat's security newsletters. Its important to take care of security, I think this is the (mostly) fastest way to keep up-to-date my knowledges about vulnerabilities.

(English is not my mother tongue; please excuse any errors on my part.)

G3ph4z
  • 1
  • 3