mod_cluster registers and exposes the root context of a JBoss AS 7 server by default, despite ROOT being in the excluded-contexts list. The excluded-contexts list requires the hostname to be set as well as the path to correctly identify a context. Due to a mismatch between AS 7 and mod_cluster concerning the default hostname, the contents of the excluded-contexts list are not matched by mod_cluster. This issue is resolved by automatically prepending the default hostname to the path when parsing the excluded-contexts list.
This flaw does not affect OpenShift, as mod_cluster is not being used.
No SOA-P/BRMS-P/EDS-P products are based on AS 7 at this time.
This issue is now resolved in JBoss AS 7.1.1.Final.
Statement: Not vulnerable. This issue only affects community JBoss AS 7 prior to 7.1.1. It does not affect components shipped with any Red Hat products.