CirrocumulusScan Failure - Redhat JBoss Enterprise
We have an applications that use this piece of software for their application. We just had a vulnerability scan run against it and it came back with the below information. The solution says to upgrade the version of RedHat but alas, our developers are trying to avoid all scenarios. Has anyone come across this or know of an alternate solution?
THREAT: Red Hat JBoss Enterprise Application Platform (or JBoss EAP) is a subscription-based/open-source Java EE-based application server runtime platform used for building, deploying, and hosting highly-transactional Java applications and services.
Red Hat JBoss EAP contains the following vulnerabilities: CVE-2015-5178: The Management Console in Red Hat Enterprise Application Platform before 6.4.4 does not send an X-Frame-Options HTTP header, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web page that contains a FRAME or IFRAME element. CVE-2015-5220: The Web Console in Red Hat Enterprise Application Platform (EAP) before 6.4.4 allows remote attackers to cause a denial of service (memory consumption) via a large request header.
Affected Versions: Red Hat Enterprise Application Platform (EAP) before 6.4.4
IMPACT: Depending on the vulnerability being exploited, an unauthenticated, remote attacker could conduct click-jacking attacks or cause a DoS attack on a targeted system.
SOLUTION: Customers are advised to download Red Hat EAP 6.4.4 or later versions to remediate this vulnerability.
