Oracle GlassFish Server Multiple Vulnerabilities (July 2014 CPU)

High Nessus Plugin ID 76591

Synopsis

The remote web server is affected by multiple vulnerabilities.

Description

The version of GlassFish Server running on the remote host is affected by multiple vulnerabilities in the following components :

- The implementation of Network Security Services (NSS) does not ensure that data structures are initialized, which could result in a denial of service or disclosure of sensitive information. (CVE-2013-1739)

- The implementation of Network Security Services (NSS) does not properly handle the TLS False Start feature and could allow man-in-the-middle attacks.
(CVE-2013-1740)

- Network Security Services (NSS) contains an integer overflow flaw that allows remote attackers to cause a denial of service. (CVE-2013-1741)

- An error exists in the 'Null_Cipher' function in the file 'ssl/ssl3con.c' related to handling invalid handshake packets that could allow arbitrary code execution. (CVE-2013-5605)

- An error exists in the 'CERT_VerifyCert' function in the file 'lib/certhigh/certvfy.c' that could allow invalid certificates to be treated as valid.
(CVE-2013-5606)

- Oracle Mojarra contains a cross-site scripting vulnerability due to improperly sanitized user-supplied input. This allows an attacker to execute arbitrary script code within the context of the affected site. (CVE-2013-5855)

- Network Security Services (NSS) contains a race condition in libssl that occurs during session ticket processing. A remote attacker can exploit this flaw to cause a denial of service. (CVE-2014-1490)

- Network Security Services (NSS) does not properly restrict public values in Diffie-Hellman key exchanges, allowing a remote attacker to bypass cryptographic protection mechanisms. (CVE-2014-1491)

- An issue exists in the Network Security (NSS) library due to improper handling of IDNA domain prefixes for wildcard certificates. This issue allows man-in- the-middle attacks. (CVE-2014-1492)

Solution

Upgrade to GlassFish Server 2.1.1.24 / 3.0.1.9 / 3.1.2.9 or later.

See Also

http://www.nessus.org/u?77697fb1

Plugin Details

Severity: High

ID: 76591

File Name: glassfish_cpu_jul_2014.nasl

Version: 1.14

Type: remote

Family: Web Servers

Published: 2014/07/18

Updated: 2018/11/15

Dependencies: 55930

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:oracle:glassfish_server

Required KB Items: www/glassfish

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2014/07/15

Vulnerability Publication Date: 2014/07/15

Reference Information

CVE: CVE-2013-1739, CVE-2013-1740, CVE-2013-1741, CVE-2013-5605, CVE-2013-5606, CVE-2013-5855, CVE-2014-1490, CVE-2014-1491, CVE-2014-1492

BID: 62966, 63736, 63737, 63738, 64944, 65332, 65335, 65600, 66356

CWE: 20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990