Those organizations should follow the instructions for securing their JBoss installations that are available on the JBoss Community website, he said.
IBM also provided information on securing the JMX Console and the EJBInvoker in response to Micalizzi's exploit.
The Red Hat Security Response Team said that while CVE-2013-4810 refers to the exposure of unauthenticated JMXInvokerServlet and EJBInvokerServlet interfaces on HP ProCurve Manager, "These servlets are also exposed without authentication by default on older unsupported community releases of JBoss AS (WildFly) 4.x and 5.x. All supported Red Hat JBoss products that include the JMXInvokerServlet and EJBInvokerServlet interfaces apply authentication by default, and are not affected by this issue. Newer community releases of JBoss AS (WildFly) 7.x are also not affected by this issue."
Like Shteiman, Red Hat advised users of older JBoss AS releases to follow the instructions available on the JBoss website in order to apply authentication to the invoker servlet interfaces.
The Red Hat security team has also been aware of this issue affecting certain versions of the JBoss Enterprise Application Platform, Web Platform and BRMS Platform since 2012 when it tracked the vulnerability as CVE-2012-0874. The issue has been addressed and current versions of JBoss Enterprise Platforms based on JBoss AS 4.x and 5.x are no longer vulnerable, the team said.