Oracle GlassFish Server Multiple Vulnerabilities (July 2015 CPU)

high Nessus Plugin ID 84810

Language:

Synopsis

The remote web server is affected by multiple vulnerabilities.

Description

The version of Oracle GlassFish Server running on the remote host is affected by multiple vulnerabilities :

 - A security bypass vulnerability exists in the bundled Network Security Services (NSS) library because the definite_length_decoder() function, in file quickder.c, does not properly form the DER encoding of an ASN.1 length. A remote attacker, by using a long byte sequence for an encoding, can exploit this issue to conduct undetected smuggling of arbitrary data. (CVE-2014-1569)

 - An unspecified flaw exists related to the Java Server Faces subcomponent. A remote attacker can exploit this to affect the integrity of the system. (CVE-2015-2623)

 - An unspecified flaw exists related to the Java Server Faces and Web Container subcomponents. A remote attacker can exploit this to affect the integrity of the system.
 (CVE-2015-4744)

Solution

Upgrade to Oracle GlassFish Server 2.1.1.26 / 3.0.1.12 / 3.1.2.12 or later as referenced in the July 2015 Oracle Critical Patch Update advisory.

See Also

http://www.nessus.org/u?d18c2a85

Plugin Details

Severity: High

ID: 84810

File Name: glassfish_cpu_jul_2015.nasl

Version: 1.8

Type: remote

Family: Web Servers

Published: 7/16/2015

Updated: 7/12/2018

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: E:U/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:oracle:glassfish_server

Required KB Items: www/glassfish

Exploit Ease: No known exploits are available

Patch Publication Date: 7/14/2015

Vulnerability Publication Date: 10/6/2014

Reference Information

CVE: CVE-2014-1569, CVE-2015-2623, CVE-2015-4744

BID: 71675, 75848, 75859