Oracle GlassFish Server 2.1.1.x < 126.96.36.199 NSS ASN.1 Decoder RCE (April 2016 CPU)
Critical Nessus Plugin ID 90681
SynopsisThe remote web server is affected by a remote code execution vulnerability.
DescriptionAccording to its self-reported version, the Oracle GlassFish Server running on the remote host is 2.1.1.x prior to 188.8.131.52. It is, therefore, affected by a heap buffer overflow condition in the ASN.1 decoder in the Network Security Services (NSS) library. A remote attacker can exploit this, via crafted OCTET STRING data, to cause a denial of service or to execute arbitrary code.
SolutionUpgrade to Oracle GlassFish Server version 184.108.40.206 or later as referenced in the April 2016 Oracle Critical Patch Update advisory.