CVE-2012-1094: 
Java vulnerability analysis and mitigation

JBoss AS 7 prior to version 7.1.1 and mod_cluster contained a vulnerability where they handled default hostname differently, which could cause the excluded-contexts list to be mismatched and expose the root context. This vulnerability is tracked as CVE-2012-1094 and was resolved with the release of JBoss AS 7.1.1.Final (NVD, Red Hat Bugzilla).

The vulnerability stems from a mismatch between AS 7 and mod_cluster in handling the default hostname. The excluded-contexts list requires both the hostname and path to correctly identify a context. Due to this mismatch, mod_cluster failed to properly match the contents of the excluded-contexts list. The issue was resolved by automatically prepending the default hostname to the path when parsing the excluded-contexts list. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability could result in the exposure of sensitive information to unauthorized actors through the unintended exposure of the root context, despite it being listed in the excluded-contexts list (NVD).

The vulnerability was fixed in JBoss AS 7.1.1.Final. Users should upgrade to this version or later to resolve the issue. It's worth noting that this vulnerability did not affect OpenShift as mod_cluster was not being used, and no SOA-P/BRMS-P/EDS-P products were based on AS 7 at the time (Red Hat Bugzilla).