Oracle GlassFish Server 3.0.1.x < 220.127.116.11 Multiple Vulnerabilities (July 2016 CPU)
Critical Nessus Plugin ID 92463
SynopsisThe remote web server is affected by multiple vulnerabilities.
DescriptionAccording to its self-reported version number, the Oracle GlassFish Server running on the remote host is 3.0.1.x prior to 18.104.22.168. It is, therefore, affected by multiple vulnerabilities :
- An information disclosure vulnerability exists in the bundled version of libcurl in the smb_request_state() function due to using values that are assumed valid without properly checking boundaries. An unauthenticated, remote attacker can exploit this, via a malicious SMB server, to disclose arbitrary memory contents. (CVE-2015-3237)
- An unspecified flaw exists in the Web Container subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2016-3607)
- Multiple unspecified flaws exist in the Administration subcomponent that allows an unauthenticated, remote attacker to disclose sensitive information.
SolutionUpgrade to Oracle GlassFish Server version 22.214.171.124 or later as referenced in the July 2016 Oracle Critical Patch Update advisory.