When a JGroups channel is started, the JGroups diagnostics service will be enabled by default with no authentication. This service is exposed via IP multicast. On JBoss Enterprise Application Platform 6, an attacker on an adjacent network can exploit this flaw to read diagnostics information and invoke JMX operations on the server (limited remote code execution). On other affected JBoss products, an attacker on an adjacent network can exploit this flaw only to read diagnostics information (information disclosure).
EAP 6 bug: https://issues.jboss.org/browse/JBPAPP-9053 EAP/EWP 5 bug: https://issues.jboss.org/browse/JBPAPP-9118
This flaw is resolved in EAP 6.0.0 GA.
This issue has been addressed in following products: JBoss Enterprise BRMS Platform 5.3.0 Via RHSA-2012:1028 https://rhn.redhat.com/errata/RHSA-2012-1028.html
This issue has been addressed in following products: JBoss Enterprise SOA Platform 5.3.0 Via RHSA-2012:1125 https://rhn.redhat.com/errata/RHSA-2012-1125.html
This issue has been addressed in following products: JBoss Enterprise Portal Platform 5.2.2 Via RHSA-2012:1232 https://rhn.redhat.com/errata/RHSA-2012-1232.html
Acknowledgements: This issue was discovered by Red Hat.
This issue has been addressed in following products: JBoss Enterprise Application Platform 5.2.0 Via RHSA-2013:0194 https://rhn.redhat.com/errata/RHSA-2013-0194.html
This issue has been addressed in following products: JBEAP 5 for RHEL 5 Via RHSA-2013:0192 https://rhn.redhat.com/errata/RHSA-2013-0192.html
This issue has been addressed in following products: JBEAP 5 for RHEL 6 Via RHSA-2013:0191 https://rhn.redhat.com/errata/RHSA-2013-0191.html
This issue has been addressed in following products: JBEWP 5 for RHEL 6 Via RHSA-2013:0195 https://rhn.redhat.com/errata/RHSA-2013-0195.html
This issue has been addressed in following products: JBEAP 5 for RHEL 4 Via RHSA-2013:0193 https://rhn.redhat.com/errata/RHSA-2013-0193.html
This issue has been addressed in following products: JBEWP 5 for RHEL 4 Via RHSA-2013:0197 https://rhn.redhat.com/errata/RHSA-2013-0197.html
This issue has been addressed in following products: JBEWP 5 for RHEL 5 Via RHSA-2013:0196 https://rhn.redhat.com/errata/RHSA-2013-0196.html
This issue has been addressed in following products: JBoss Enterprise Web Platform 5.2.0 Via RHSA-2013:0198 https://rhn.redhat.com/errata/RHSA-2013-0198.html