Multiple vulnerabilities in Oracle GlassFish Server
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2017-10391 CVE-2017-10385 CVE-2017-10393 CVE-2017-10400 CVE-2016-3092 |
| CWE-ID | CWE-284 CWE-400 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Oracle GlassFish Server Server applications / Other server solutions Apache Commons FileUpload Server applications / Frameworks for developing and running applications |
| Vendor |
Oracle Apache Foundation |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Improper access control
EUVDB-ID: #VU8903
Risk: Low
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-10391
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to access potentially sensitive information and cause DoS condition.
The weakness exists due to a flaw in the Oracle GlassFish Server Administration component. A remote attacker can partially read and modify arbitrary files and cause partial denial of service on the target system.
Install update from vendor's website.
Oracle GlassFish Server: 3.0.1 - 3.1.2
External linkshttp://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper access control
EUVDB-ID: #VU8904
Risk: Low
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-10385
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to access potentially sensitive information and cause DoS condition.
The weakness exists due to a flaw in the Oracle GlassFish Server Web Container component. A remote attacker can partially read and modify arbitrary files and cause partial denial of service on the target system.
Install update from vendor's website.
Oracle GlassFish Server: 3.0.1 - 3.1.2
External linkshttp://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper access control
EUVDB-ID: #VU8905
Risk: Low
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-10393
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to access potentially sensitive information and cause DoS condition.
The weakness exists due to a flaw in the Oracle GlassFish Server Web Container component. A remote attacker can partially read and modify arbitrary files and cause partial denial of service on the target system.
Install update from vendor's website.
Oracle GlassFish Server: 3.0.1 - 3.1.2
External linkshttp://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Improper access control
EUVDB-ID: #VU8906
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-10400
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to access potentially sensitive information.
The weakness exists due to a flaw in the Oracle GlassFish Server Administration Graphical User Interface component. A remote attacker can partially read and modify arbitrary files on the target system.
Install update from vendor's website.
Oracle GlassFish Server: 3.1.2
External linkshttp://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Resource exhaustion
EUVDB-ID: #VU197
Risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-3092
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause denial of service conditions on the target system.
The vulnerability exists due to input validation error when processing very long boundary strings within the MultipartStream class in Apache Commons Fileupload. A remote user can cause denial of service conditions by sending specially crafted boundary string and consume excessive CPU resources.
Successful exploitation of this vulnerability may result in denial of service attack.
Install update from vendor's website.
Vulnerable software versionsApache Commons FileUpload: 1.0 - 1.3.1
External linkshttp://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
