Oracle GlassFish Server Multiple Vulnerabilities (July 2015 CPU)
High Nessus Plugin ID 84810
SynopsisThe remote web server is affected by multiple vulnerabilities.
DescriptionThe version of Oracle GlassFish Server running on the remote host is affected by multiple vulnerabilities :
- A security bypass vulnerability exists in the bundled Network Security Services (NSS) library because the definite_length_decoder() function, in file quickder.c, does not properly form the DER encoding of an ASN.1 length. A remote attacker, by using a long byte sequence for an encoding, can exploit this issue to conduct undetected smuggling of arbitrary data. (CVE-2014-1569)
- An unspecified flaw exists related to the Java Server Faces subcomponent. A remote attacker can exploit this to affect the integrity of the system. (CVE-2015-2623)
- An unspecified flaw exists related to the Java Server Faces and Web Container subcomponents. A remote attacker can exploit this to affect the integrity of the system.
SolutionUpgrade to Oracle GlassFish Server 184.108.40.206 / 220.127.116.11 / 18.104.22.168 or later as referenced in the July 2015 Oracle Critical Patch Update advisory.