Postgres Plus Advanced Server is an enterprise database solution. It includes several productivity tools, such as Migration Studio, Postgres Studio, DBA Management Server, and DBA Monitoring Console.
An authentication bypass vulnerability exists in the browser-based DBA Management Server tool included with EnterpriseDB Postgres Plus Advanced Server versions 8.x prior to 18.104.22.168. Postgres Plus Advanced Server uses JBoss Application Server to execute the DBA Management Server. The JBoss configuration does not limit access to the jmx-console and web-console applications. Unauthenticated clients can use these applications to upload and execute malicious files.
Update DBA Management Server to Build 39, or remove the jmx-console and web-console applications from the Postgres Plus Advanced Server.
This exploit works against EnterpriseDB Postgres Plus Advanced Server 22.214.171.124 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP1 English (DEP OptOut).