Oracle GlassFish Server 3.1.2.x < 3.1.2.19 (October 2018 CPU)

Medium Nessus Plugin ID 119559

Synopsis

The remote web server is affected by multiple vulnerabilities.

Description

According to its self-reported version, the Oracle GlassFish Server running on the remote host is 3.1.2.x prior to 3.1.2.19. Is is, therefore, affected by multiple vulnerabilities:

- A vulnerability could allow an Attacker with unauthenticated network access to compromise Oracle GlassFish Server. A successful attack would allow the access to critical data including creation, deletion or modification on the remote server. This attack requires human interaction. (CVE-2018-2911)
- An unauthenticated attacker with Network access can compromise Oracle GlassFish Server. An attacker who successfully exploited the vulnerability could cause a hang or a complete DOS of Oracle GlassFish Server. (CVE-2018-3152)
- An unauthenticated attacker with network access could compromise Oracle GlassFish Server. An attacker who successfully exploited the vulnerability could have read access to Oracle GlassFish Server information. (CVE-2018-3210)

Solution

Upgrade to Oracle GlassFish Server version 3.1.2.19 or later as referenced in the October 2018 Oracle Critical Patch Update advisory.

See Also

http://www.nessus.org/u?705136d8

http://www.nessus.org/u?28d119b1

Plugin Details

Severity: Medium

ID: 119559

File Name: glassfish_cpu_oct_2018.nasl

Version: 1.1

Type: remote

Family: Web Servers

Published: 2018/12/11

Updated: 2018/12/11

Dependencies: 55930

Risk Information

Risk Factor: Medium

CVSS Score Source: CVE-2018-2911

CVSS v2.0

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS v3.0

Base Score: 8.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L

Vulnerability Information

CPE: cpe:/a:oracle:glassfish_server

Required KB Items: www/glassfish

Patch Publication Date: 2018/10/16

Vulnerability Publication Date: 2018/10/16

Reference Information

CVE: CVE-2018-3152, CVE-2018-3210, CVE-2018-2911

BID: 105618