![]() ![]() This can be configured from the Network Config > Protocols > admin-listener > HTTP tab.īy performing HTTP requests against the GlassFish Administration Console using the TRACE method, a remote, unauthenticated attacker can get access to the content of restricted pages in the Administration Console, because GlassFish Server will behave as if it were handling GET requests from authenticated users. ![]() This administrative server, which is accessed by the Administration Console, has the HTTP TRACE verb enabled by default. ![]() By default, when GlassFish Server starts, it runs an HTTP listener named admin-listener, associated with the _asadmin virtual server. It provides a small footprint, fully featured Java EE application server that is completely supported for commercial deployment and is available as a standalone offering. Technical Description / Proof of Concept Codeīuilt using the GlassFish Server Open Source Edition, Oracle GlassFish Server delivers a flexible, lightweight and extensible Java EE 6 platform. This vulnerability was discovered and researched by Francisco Falcon from Core Security Technologies.Ĩ. There is a checkbox "Trace: Enable TRACE operation" (checked by default) uncheck it and then save changes.įinally, restart GlassFish by doing C:\glassfishv3\bin>asadmin restart-domainĪfter following these steps, when executing the PoC included in this advisory, the webserver should respond:Ĥ05 TRACE method is not allowed headers = Navigate through: Network Config > Protocols > admin-listener > HTTP. In the GlassFish Admin Console, go to the Tasks tree. As a policy, Oracle does not provide workarounds unless they can be easily applied by every customer.įor users who cannot upgrade to the latest patched version, the following workaround can be applied in order to avoid this flaw: Oracle also notifies that patches for previous versions will be available in July, 2011. Oracle notifies that GlassFish Server 3.1 was released in March 2011 and was fixed before release, so it is not affected. Vendor Information, Solutions and Workarounds This vulnerability can be exploited by remote attackers to access sensitive data on the server without being authenticated, by making TRACE requests against the Administration Console.Ĭontact Oracle for patches for other GlassFish versionsĦ. The Administration Console of Oracle GlassFish Server, which is listening by default on port 4848/TCP, is prone to an authentication bypass vulnerability. Title: Oracle GlassFish Server Administration Console Authentication BypassĬlass: Authentication Bypass Issues īuilt using the GlassFish Server Open Source Edition, Oracle GlassFish Server delivers a flexible, lightweight and extensible Java EE 6 platform. Oracle GlassFish Server Administration Console Authentication Bypass ![]()
0 Comments
Leave a Reply. |