JBOSS Application ServerにWeb管理画面のアクセスを既定で止めていないとのこと。

US-CERT is aware of a vulnerability in JBOSS Application Server. In a default configuration, JBOSS does not properly restrict access to the web-based administrative interface. This may allow an unauthenticated, remote attacker to gain access to, and possibly modify, data on the server.