Oracle GlassFish Server 3.1.2.x < 3.1.2.19 (October 2018 CPU)

high Nessus Plugin ID 119559

Synopsis

The remote web server is affected by multiple vulnerabilities.

Description

According to its self-reported version, the Oracle GlassFish Server running on the remote host is 3.1.2.x prior to 3.1.2.19. Is is, therefore, affected by multiple vulnerabilities:

- A vulnerability could allow an Attacker with unauthenticated network access to compromise Oracle GlassFish Server. A successful attack would allow the access to critical data including creation, deletion or modification on the remote server. This attack requires human interaction. (CVE-2018-2911)
- An unauthenticated attacker with Network access can compromise Oracle GlassFish Server. An attacker who successfully exploited the vulnerability could cause a hang or a complete DOS of Oracle GlassFish Server. (CVE-2018-3152)
- An unauthenticated attacker with network access could compromise Oracle GlassFish Server. An attacker who successfully exploited the vulnerability could have read access to Oracle GlassFish Server information. (CVE-2018-3210)

Solution

Upgrade to Oracle GlassFish Server version 3.1.2.19 or later as referenced in the October 2018 Oracle Critical Patch Update advisory.

See Also

http://www.nessus.org/u?705136d8

http://www.nessus.org/u?28d119b1

Plugin Details

Severity: High

ID: 119559

File Name: glassfish_cpu_oct_2018.nasl

Version: 1.2

Type: remote

Family: Web Servers

Published: 12/11/2018

Updated: 11/1/2019

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.5

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2018-2911

CVSS v3

Risk Factor: High

Base Score: 8.3

Temporal Score: 7.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:oracle:glassfish_server

Required KB Items: www/glassfish

Exploit Ease: No known exploits are available

Patch Publication Date: 10/16/2018

Vulnerability Publication Date: 10/16/2018

Reference Information

CVE: CVE-2018-2911, CVE-2018-3152, CVE-2018-3210

BID: 105618