Oracle GlassFish Server 2.1.1.x < 2.1.1.29 / 3.0.1.x < 3.0.1.14 / 3.1.2.x < 3.1.2.15 Java Server Faces RCE (October 2016 CPU)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

The remote web server is affected by a remote code execution
vulnerability.

Description :

According to its self-reported version number, the Oracle GlassFish
Server running on the remote host is 2.1.1.x prior to 2.1.1.29,
3.0.1.x prior to 3.0.1.14, or 3.1.2.x prior to 3.1.2.15. It is,
therefore, affected by a remote code execution vulnerability in the
Java Server Faces component subcomponent. An authenticated, remote
attacker can exploit this to execute arbitrary code.

See also :

http://www.nessus.org/u?bac902d5

Solution :

Upgrade to Oracle GlassFish Server version 2.1.1.29 / 3.0.1.14 / or
3.1.2.15 as referenced in the October 2016 Oracle Critical Patch
Update advisory.

Risk factor :

High / CVSS Base Score : 9.0
(CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C)
CVSS Temporal Score : 6.7
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Web Servers

Nessus Plugin ID: 94161 ()

Bugtraq ID: 93698

CVE ID: CVE-2016-5519

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now