thanks to anyone reading this post.

感谢任何阅读这篇文章的人。

A penetration test was performed by an external agency on my Staging server application which is on JBoss 4.0.4 instance.

渗透测试由外部机构在我的 JBoss 4.0.4 实例上的 Staging 服务器应用程序上执行。

It was reported for ‘Apache Tomcat / JBoss EJBInvokerServlet / JMXInvokerServlet Marshalled Object Remote Code Execution'

报告“Apache Tomcat / JBoss EJBInvokerServlet / JMXInvokerServlet Marshalled Object Remote Code Execution”

It is suggested to upgrade the JBoss server to close the vulnerability. Because of different business reasons I cannot upgrade to latest versions for the next 1 year or so.

建议升级JBoss服务器关闭漏洞。由于不同的业务原因，我无法在接下来的 1 年左右升级到最新版本。

In my application we don't need to use any war deployment through any of these Servlets. I made some changes to work around [work around for the next 1 year]. What is the best way to test whether the environment is still vulnerable to this reported case? – Don't have option to get the service from the external agency again.

在我的应用程序中，我们不需要通过任何这些 Servlet 使用任何War部署。我做了一些改变来解决[在接下来的 1 年中解决]。测试环境是否仍然容易受到此报告案例的影响的最佳方法是什么？– 无法再次从外部机构获取服务。

By the way after my changes, for the urls http:///invoker/EJBInvokerServlet and http:///invoker/JMXInvokerServlet I can see the page with message ‘The requested resource (/invoker/JMXInvokerServlet) is not available.' Before the changes these urls were opening EJBInvokerServlet and JMXInvokerServlet

顺便说一下，在我更改之后，对于 URL http:///invoker/EJBInvokerServlet 和 http:///invoker/JMXInvokerServlet，我可以看到带有消息“请求的资源 (/invoker/JMXInvokerServlet) 不可用”的页面。在更改这些 url 之前打开 EJBInvokerServlet 和 JMXInvokerServlet

Can someone please suggest the way to validate whether the environment is still vulnerable?

有人可以建议验证环境是否仍然脆弱的方法吗？

Also let me know if there is any recommended solution is available fix the vulnerability in JBoss 4.0.4.

另外让我知道是否有任何推荐的解决方案可以修复 JBoss 4.0.4 中的漏洞。

Thank you.

谢谢你。