Oracle GlassFish Server 2.1.1.x < 184.108.40.206 NSS ASN.1 Decoder RCE (April 2016 CPU)
High Nessus Plugin ID 90681
SynopsisThe remote web server is affected by a remote code execution vulnerability.
DescriptionAccording to its self-reported version, the Oracle GlassFish Server running on the remote host is 2.1.1.x prior to 220.127.116.11. It is, therefore, affected by a heap buffer overflow condition in the ASN.1 decoder in the Network Security Services (NSS) library. A remote attacker can exploit this, via crafted OCTET STRING data, to cause a denial of service or to execute arbitrary code.
SolutionUpgrade to Oracle GlassFish Server version 18.104.22.168 or later as referenced in the April 2016 Oracle Critical Patch Update advisory.