Applies To:
HP ALM, JBoss, HP QC 11.0
Issue:
The http-invoker component of JBoss Application Server which is present in the default ALM / QC deployment might provide an additional access point to the system in some circumstances.
The remote web server is affected by a remote code execution vulnerability.
The "EBJInvokerServlet" and "JMXInvokerServlet" servlets hosted on the web server on the remote host are accessible to unauthenticated users and can be used to deploy arbitrary web application archive (WAR) files to the remote host. This could allow a remote, unauthenticated attacker to execute arbitrary Java code on the host by sending a specially crafted marshalled object. Note that this issue is known to affect McAfee Web Reporter versions prior to or equal to version 5.2.1 as well as Symantec Workspace Streaming version 7.5.0.493 and possibly earlier.
Solution: