Oracle GlassFish Server 2.1.1.x < 2.1.1.30 / 3.0.1.x < 3.0.1.15 / 3.1.2.x < 3.1.2.16 Multiple Vulnerabilities (January 2017 CPU)

High Nessus Network Monitor Plugin ID 9947

Synopsis

The remote web server is affected by multiple attack vectors.

Description

Oracle GlassFish versions 2.1.1.x prior to 2.1.1.30, 3.0.1.x prior to 3.0.1.15, and 3.1.2.x prior to 3.1.2.16 are affected by the following vulnerabilities :

- An unspecified flaw exists related to the Security subcomponent. This may allow a remote attacker to potentially execute arbitrary code. No further details have been provided by the vendor. (CVE-2016-5528)
- An unspecified flaw exists related to the Administration subcomponent. This may allow a local attacker to gain access to potentially sensitive information. No further details have been provided by the vendor. (CVE-2017-3239)
- An unspecified flaw exists related to the Core subcomponent. This may allow a context-dependent attacker to have an impact on integrity. No further details have been provided by the vendor. (CVE-2017-3247)
- An unspecified flaw exists related to the Security subcomponent. This may allow a remote attacker to have an impact on confidentiality, integrity, and availability. No further details have been provided by the vendor. (CVE-2017-3249)
- An unspecified flaw exists related to the Security subcomponent. This may allow a remote attacker to have an impact on confidentiality, integrity, and availability. No further details have been provided by the vendor. (CVE-2017-3250)

Solution

Upgrade to GlassFish Server 3.1.2.16 or later. If 3.1.2.x cannot be obtained, versions 3.0.1.15 and 2.1.1.30 have also been patched for these vulnerabilities.

See Also

http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixFMW

Plugin Details

Severity: High

ID: 9947

File Name: 9947.prm

Family: Web Servers

Published: 2017/02/09

Modified: 2017/04/04

Dependencies: 9755

Risk Information

Risk Factor: High

CVSSv2

Base Score: 7.6

Temporal Score: 6.3

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSSv3

Base Score: 8.1

Temporal Score: 7.5

Vector: CVSS3#AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS3#E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:oracle:glassfish_server

Patch Publication Date: 2017/01/17

Vulnerability Publication Date: 2017/01/17

Reference Information

CVE: CVE-2016-5528, CVE-2017-3239, CVE-2017-3247, CVE-2017-3249, CVE-2017-3250

BID: 95478, 95480, 95483, 95484, 95493

OSVDB: 150245, 150246, 150247, 150248, 150249