Red Hat Security Advisory 2012-1166-01
https://packetstormsecurity.com/files/115461/RHSA-2012-1166-01.txt
https://packetstormsecurity.com/files/115461/RHSA-2012-1166-01.txthttps://packetstormsecurity.com/files/115461/Red-Hat-Security-Advisory-2012-1166-01.htmlTue, 14 Aug 2012 01:05:08 GMTRed Hat Security Advisory 2012-1166-01 - mod_cluster is an Apache HTTP Server based load balancer that forwards requests from httpd to application server nodes. It can use the AJP, HTTP, or HTTPS protocols for communication with application server nodes. The RHSA-2012:0035 update for JBoss Enterprise Web Server 1.0.2 introduced a regression, causing mod_cluster to register and expose the root context of a server by default, even when "ROOT" was in the "excludedContexts" list in the mod_cluster configuration. If an application was deployed on the root context, a remote attacker could use this flaw to bypass intended access restrictions and gain access to that application.