Oracle GlassFish Server 3.1.2.x < Multiple Vulnerabilities (July 2016 CPU)

Critical Nessus Plugin ID 92462


The remote web server is affected by multiple vulnerabilities.


According to its self-reported version number, the Oracle GlassFish Server running on the remote host is 3.1.2.x prior to It is, therefore, affected by multiple vulnerabilities :

- An information disclosure vulnerability exists in the bundled version of libcurl in the smb_request_state() function due to using values that are assumed valid without properly checking boundaries. An unauthenticated, remote attacker can exploit this, via a malicious SMB server, to disclose arbitrary memory contents. (CVE-2015-3237)

- An unspecified flaw exists in the Web Container subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2016-3607)


Upgrade to Oracle GlassFish Server version or later as referenced in the July 2016 Oracle Critical Patch Update advisory.

See Also

Plugin Details

Severity: Critical

ID: 92462

File Name: glassfish_cve-2015-3237.nasl

Version: $Revision: 1.5 $

Type: remote

Family: Web Servers

Published: 2016/07/20

Modified: 2016/11/11

Dependencies: 55930

Risk Information

Risk Factor: Critical


Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:oracle:glassfish_server

Required KB Items: www/glassfish

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2016/07/19

Vulnerability Publication Date: 2015/06/17

Reference Information

CVE: CVE-2015-3237, CVE-2016-3607

BID: 75387

OSVDB: 123400, 141723