SB2017101711 - Multiple vulnerabilities in Oracle GlassFish Server

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2017101711

SB2017101711 - Multiple vulnerabilities in Oracle GlassFish Server

Published: October 17, 2017 Updated: April 15, 2019

Security Bulletin ID SB2017101711
Severity
Low
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 20% Low 80%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Improper access control (CVE-ID: CVE-2017-10391)

The vulnerability allows a remote attacker to access potentially sensitive information and cause DoS condition.

The weakness exists due to a flaw in the Oracle GlassFish Server Administration component. A remote attacker can partially read and modify arbitrary files and cause partial denial of service on the target system.

2) Improper access control (CVE-ID: CVE-2017-10385)

The vulnerability allows a remote attacker to access potentially sensitive information and cause DoS condition.

The weakness exists due to a flaw in the Oracle GlassFish Server Web Container component. A remote attacker can partially read and modify arbitrary files and cause partial denial of service on the target system.

3) Improper access control (CVE-ID: CVE-2017-10393)

The vulnerability allows a remote attacker to access potentially sensitive information and cause DoS condition.

The weakness exists due to a flaw in the Oracle GlassFish Server Web Container component. A remote attacker can partially read and modify arbitrary files and cause partial denial of service on the target system.

4) Improper access control (CVE-ID: CVE-2017-10400)

The vulnerability allows a remote attacker to access potentially sensitive information.

The weakness exists due to a flaw in the Oracle GlassFish Server Administration Graphical User Interface component. A remote attacker can partially read and modify arbitrary files on the target system.

5) Resource exhaustion (CVE-ID: CVE-2016-3092)

The vulnerability allows a remote attacker to cause denial of service conditions on the target system.

The vulnerability exists due to input validation error when processing very long boundary strings within the MultipartStream class in Apache Commons Fileupload. A remote user can cause denial of service conditions by sending specially crafted boundary string and consume excessive CPU resources.

Successful exploitation of this vulnerability may result in denial of service attack.


Remediation

Install update from vendor's website.

References