Detections
Analytics

Oracle GlassFish Server Multiple Vulnerabilities (July 2014 CPU)

high Nessus Plugin ID 76591

Language:

Synopsis

The remote web server is affected by multiple vulnerabilities.

Description

The version of GlassFish Server running on the remote host is affected by multiple vulnerabilities in the following components :

 - The implementation of Network Security Services (NSS) does not ensure that data structures are initialized, which could result in a denial of service or disclosure of sensitive information. (CVE-2013-1739)

 - The implementation of Network Security Services (NSS) does not properly handle the TLS False Start feature and could allow man-in-the-middle attacks.
 (CVE-2013-1740)

 - Network Security Services (NSS) contains an integer overflow flaw that allows remote attackers to cause a denial of service. (CVE-2013-1741)

 - An error exists in the 'Null_Cipher' function in the file 'ssl/ssl3con.c' related to handling invalid handshake packets that could allow arbitrary code execution. (CVE-2013-5605)

 - An error exists in the 'CERT_VerifyCert' function in the file 'lib/certhigh/certvfy.c' that could allow invalid certificates to be treated as valid.
 (CVE-2013-5606)

 - Oracle Mojarra contains a cross-site scripting vulnerability due to improperly sanitized user-supplied input. This allows an attacker to execute arbitrary script code within the context of the affected site. (CVE-2013-5855)

 - Network Security Services (NSS) contains a race condition in libssl that occurs during session ticket processing. A remote attacker can exploit this flaw to cause a denial of service. (CVE-2014-1490)

 - Network Security Services (NSS) does not properly restrict public values in Diffie-Hellman key exchanges, allowing a remote attacker to bypass cryptographic protection mechanisms. (CVE-2014-1491)

 - An issue exists in the Network Security (NSS) library due to improper handling of IDNA domain prefixes for wildcard certificates. This issue allows man-in- the-middle attacks. (CVE-2014-1492)

Solution

Upgrade to GlassFish Server 2.1.1.24 / 3.0.1.9 / 3.1.2.9 or later.

See Also

http://www.nessus.org/u?77697fb1

Plugin Details

Severity: High

ID: 76591

File Name: glassfish_cpu_jul_2014.nasl

Version: 1.14

Type: remote

Family: Web Servers

Published: 7/18/2014

Updated: 11/15/2018

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.8

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:oracle:glassfish_server

Required KB Items: www/glassfish

Exploit Ease: No known exploits are available

Patch Publication Date: 7/15/2014

Vulnerability Publication Date: 7/15/2014

Reference Information

CVE: CVE-2013-1739, CVE-2013-1740, CVE-2013-1741, CVE-2013-5605, CVE-2013-5606, CVE-2013-5855, CVE-2014-1490, CVE-2014-1491, CVE-2014-1492

BID: 62966, 63736, 63737, 63738, 64944, 65332, 65335, 65600, 66356

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990