mod_cluster 1.0.10 CP02 and 1.1.3 registers and exposes the root context of a server by default, despite ROOT being in the excludedContexts list. This is due to a regression that bypassed context filtering for the root context, causing the root context to be enabled inadvertently. This flaw is fixed in mod_cluster 1.0.10 CP03 and 1.1.4.
The following products are affected by this flaw: JBoss Enterprise Web Server 1.0.2 JBoss Enterprise Application Platform 5.1.2 JBoss Enterprise Web Platform 5.1.2 JBoss Communications Platform 5.1.3
Upstream bug report: https://issues.jboss.org/browse/MODCLUSTER-253
This issue has been addressed in following products: JBoss Enterprise Web Server 1.0.2 Via RHSA-2012:1012 https://rhn.redhat.com/errata/RHSA-2012-1012.html
This issue has been addressed in following products: JBoss Enterprise Web Platform 5.1.2 Via RHSA-2012:1011 https://rhn.redhat.com/errata/RHSA-2012-1011.html
This issue has been addressed in following products: JBoss Enterprise Application Platform 5.1.2 Via RHSA-2012:1010 https://rhn.redhat.com/errata/RHSA-2012-1010.html
This issue has been addressed in following products: JBEAP 5 for RHEL 4 JBEAP 5 for RHEL 5 JBEAP 5 for RHEL 6 Via RHSA-2012:1052 https://rhn.redhat.com/errata/RHSA-2012-1052.html
This issue has been addressed in following products: JBEWP 5 for RHEL 4 JBEWP 5 for RHEL 5 JBEWP 5 for RHEL 6 Via RHSA-2012:1053 https://rhn.redhat.com/errata/RHSA-2012-1053.html
This issue has been addressed in following products: JBEWS 1.0 for RHEL 5 JBEWS 1.0 for RHEL 6 Via RHSA-2012:1166 https://rhn.redhat.com/errata/RHSA-2012-1166.html