we have Jboss 6 webserver hosting tc application.
we get a security warning: "Red Hat JBoss EAP/Web Server Java UnSerialize Common-Collections Remote Code Execution Vulnerability"
the workaround for this is:
To resolve this specific de-serialization vulnerability, remove the vulnerable class files (InvokerTransformer, InstantiateFactory, and InstantiateTransfromer) in all commons-collections jar files.
Has anyone fixed this with Jboss 6.x ? if yes, how (which jars have you modified etc.) ?