Oracle GlassFish Server 2.1.1.x < 220.127.116.11 NSS ASN.1 Decoder RCE (April 2016 CPU)
Critical Nessus Plugin ID 90681
SynopsisThe remote web server is affected by a remote code execution vulnerability.
DescriptionAccording to its self-reported version, the Oracle GlassFish Server running on the remote host is 2.1.1.x prior to 18.104.22.168. It is, therefore, affected by a heap buffer overflow condition in the ASN.1 decoder in the Network Security Services (NSS) library. A remote attacker can exploit this, via crafted OCTET STRING data, to cause a denial of service or to execute arbitrary code.
SolutionUpgrade to Oracle GlassFish Server version 22.214.171.124 or later as referenced in the April 2016 Oracle Critical Patch Update advisory.