Oracle GlassFish Server 3.1.2.x < 126.96.36.199 Multiple Vulnerabilities (July 2016 CPU)
Critical Nessus Plugin ID 92462
SynopsisThe remote web server is affected by multiple vulnerabilities.
DescriptionAccording to its self-reported version number, the Oracle GlassFish Server running on the remote host is 3.1.2.x prior to 188.8.131.52. It is, therefore, affected by multiple vulnerabilities :
- An information disclosure vulnerability exists in the bundled version of libcurl in the smb_request_state() function due to using values that are assumed valid without properly checking boundaries. An unauthenticated, remote attacker can exploit this, via a malicious SMB server, to disclose arbitrary memory contents. (CVE-2015-3237)
- An unspecified flaw exists in the Web Container subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2016-3607)
SolutionUpgrade to Oracle GlassFish Server version 184.108.40.206 or later as referenced in the July 2016 Oracle Critical Patch Update advisory.