Oracle GlassFish Server 2.1.1.x < 22.214.171.124 / 3.0.1.x < 126.96.36.199 / 3.1.2.x < 188.8.131.52 Java Server Faces RCE (October 2016 CPU)
High Nessus Plugin ID 94161
SynopsisThe remote web server is affected by a remote code execution vulnerability.
DescriptionAccording to its self-reported version number, the Oracle GlassFish Server running on the remote host is 2.1.1.x prior to 184.108.40.206, 3.0.1.x prior to 220.127.116.11, or 3.1.2.x prior to 18.104.22.168. It is, therefore, affected by a remote code execution vulnerability in the Java Server Faces component subcomponent. An authenticated, remote attacker can exploit this to execute arbitrary code.
SolutionUpgrade to Oracle GlassFish Server version 22.214.171.124 / 126.96.36.199 / or 188.8.131.52 as referenced in the October 2016 Oracle Critical Patch Update advisory.