Is Process Automation vulnerable to the following CVEs?
CVE-2015-5178: The Management Console in Red Hat Enterprise Application Platform before 6.4.4 and WildFly (formerly JBoss Application Server) does not send an X-Frame-Options HTTP header, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web page that contains a (1) FRAME or (2) IFRAME element.
CVE-2015-5188: Cross-site request forgery (CSRF) vulnerability in the Web Console (web-console) in Red Hat Enterprise Application Platform before 6.4.4 and WildFly (formerly JBoss Application Server) before 2.0.0.CR9 allows remote attackers to hijack the authentication of administrators for requests that make arbitrary changes to an instance via vectors involving a file upload using a multipart/form-data submission.
CVE-2015-5220: The Web Console in Red Hat Enterprise Application Platform (EAP) before 6.4.4 and WildFly (formerly JBoss Application Server) allows remote attackers to cause a denial of service (memory consumption) via a large request header.
Remediation in 4.3 SP02 for the following CVEs
These had to do with the Management console.
In a 4.3 SP02, the management folder originally located at <PAM_Installation_Location>>\server\c2o\deploy is no longer present.
This was addressed with 4.3 SP2 and 4.3 SP3. Process Automation is not vulnerable to the CVEs mentioned.