Oracle GlassFish Server 2.1.1.x < 2.1.1.30 / 3.0.1.x < 3.0.1.15 / 3.1.2.x < 3.1.2.16 Multiple Vulnerabilities (January 2017 CPU)

high Nessus Network Monitor Plugin ID 9947

Synopsis

The remote web server is affected by multiple attack vectors.

Description

Oracle GlassFish versions 2.1.1.x prior to 2.1.1.30, 3.0.1.x prior to 3.0.1.15, and 3.1.2.x prior to 3.1.2.16 are affected by the following vulnerabilities :

- An unspecified flaw exists related to the Security subcomponent. This may allow a remote attacker to potentially execute arbitrary code. No further details have been provided by the vendor. (CVE-2016-5528)
- An unspecified flaw exists related to the Administration subcomponent. This may allow a local attacker to gain access to potentially sensitive information. No further details have been provided by the vendor. (CVE-2017-3239)
- An unspecified flaw exists related to the Core subcomponent. This may allow a context-dependent attacker to have an impact on integrity. No further details have been provided by the vendor. (CVE-2017-3247)
- An unspecified flaw exists related to the Security subcomponent. This may allow a remote attacker to have an impact on confidentiality, integrity, and availability. No further details have been provided by the vendor. (CVE-2017-3249)
- An unspecified flaw exists related to the Security subcomponent. This may allow a remote attacker to have an impact on confidentiality, integrity, and availability. No further details have been provided by the vendor. (CVE-2017-3250)

Solution

Upgrade to GlassFish Server 3.1.2.16 or later. If 3.1.2.x cannot be obtained, versions 3.0.1.15 and 2.1.1.30 have also been patched for these vulnerabilities.

See Also

http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixFMW

Plugin Details

Severity: High

ID: 9947

Family: Web Servers

Published: 2/9/2017

Updated: 3/6/2019

Nessus ID: 96624

Risk Information

VPR

Risk Factor: High

Score: 7.3

CVSS v2

Risk Factor: High

Base Score: 7.6

Temporal Score: 6.3

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.5

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:oracle:glassfish_server

Patch Publication Date: 1/17/2017

Vulnerability Publication Date: 1/17/2017

Reference Information

CVE: CVE-2016-5528, CVE-2017-3239, CVE-2017-3247, CVE-2017-3249, CVE-2017-3250

BID: 95478, 95480, 95483, 95484, 95493