Oracle GlassFish Server 2.1.1.x < 18.104.22.168 Mozilla NSS ASN.1 Structure Handling RCE (October 2016 CPU)
High Nessus Plugin ID 94160
SynopsisThe remote web server is affected by a remote code execution vulnerability.
DescriptionAccording to its self-reported version number, the Oracle GlassFish Server running on the remote host is 2.1.1.x prior to 22.214.171.124. It is, therefore, affected by a remote code execution vulnerability in the Mozilla Network Security Services (NSS) component due to improper validation of user-supplied input when parsing ASN.1 structures. An unauthenticated, remote attacker can exploit this, via crafted ASN.1 data in an X.509 certificate, to cause a heap-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code.
SolutionUpgrade to Oracle GlassFish Server version 126.96.36.199 as referenced in the October 2016 Oracle Critical Patch Update advisory.