Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1191 to the following vulnerability: mod_proxy_ajp in Apache httpd 2.2.11 allows remote attackers to obtain sensitive information via an arbitrary request from a HTTP client, in opportunistic circumstances involving a request from a different client that included a Content-Length header but no POST data. This is similar to the issue CVE-2008-5519 in mod_jk Prior to httpd 2.2.11 this was not an issue. It was an issue due to http://svn.apache.org/viewvc?view=rev&revision=711779 Patch will be applied to 2.2.12: http://www.apache.org/dist/httpd/patches/apply_to_2.2.11/
The patch is available for download from the following location: https://support.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=873
This issue has been addressed in following products: JBEWS 1.0.0 for RHEL 5 JBEWS 1.0.0 for RHEL 4 Via RHSA-2009:1058 https://rhn.redhat.com/errata/RHSA-2009-1058.html