Vulnerabilities > CVE-2015-4899 - Remote Security vulnerability in Oracle Fusion Middleware 3.0.1/3.1.2

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
oracle
nessus

Summary

Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 3.0.1 and 3.1.2 allows remote attackers to affect confidentiality via unknown vectors related to Security.

Vulnerable Configurations

Part Description Count
Application
Oracle
2

Nessus

NASL familyWeb Servers
NASL idGLASSFISH_CPU_OCT_2015.NASL
descriptionThe version of Oracle GlassFish Server running on the remote host is affected by an unspecified information disclosure vulnerability due to an unspecified flaw in the Security subcomponent. A remote attacker can exploit this to disclose sensitive information.
last seen2020-06-01
modified2020-06-02
plugin id86481
published2015-10-21
reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/86481
titleOracle GlassFish Server Unspecified Information Disclosure (October 2015 CPU)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(86481);
  script_version("1.8");
  script_cvs_date("Date: 2018/07/12 19:01:16");

  script_cve_id("CVE-2015-4899");

  script_name(english:"Oracle GlassFish Server Unspecified Information Disclosure (October 2015 CPU)");
  script_summary(english:"Checks the version of Oracle GlassFish.");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by an unspecified information
disclosure vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Oracle GlassFish Server running on the remote host is
affected by an unspecified information disclosure vulnerability due to
an unspecified flaw in the Security subcomponent. A remote attacker
can exploit this to disclose sensitive information.");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Oracle GlassFish Server 3.0.1.13 / 3.1.2.13 or later as
referenced in the October 2015 Oracle Critical Patch Update advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  # http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?75a4a4fb");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/10/20");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/10/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/10/21");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:glassfish_server");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("glassfish_detect.nasl");
  script_require_keys("www/glassfish");

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("audit.inc");
include("glassfish.inc");

#
# Main
#

# Check for GlassFish
get_kb_item_or_exit('www/glassfish');

port = get_glassfish_port(default:8080);

# Get the version number out of the KB.
ver = get_kb_item_or_exit("www/" + port + "/glassfish/version");
banner = get_kb_item_or_exit("www/" + port + "/glassfish/source");
pristine = get_kb_item_or_exit("www/" + port + "/glassfish/version/pristine");

# Set appropriate fixed versions.
if (ver =~ "^3\.0\.1") fix = "3.0.1.13";
else if (ver =~ "^3\.1\.2") fix = "3.1.2.13";
else fix = NULL;

if (!isnull(fix) && ver_compare(ver:ver, fix:fix, strict:FALSE) < 0)
{
  if (report_verbosity > 0)
  {
    report =
      '\n  Version source    : ' + banner +
      '\n  Installed version : ' + pristine +
      '\n  Fixed version     : ' + fix +
      '\n';
    security_warning(port:port, extra:report);
  }
  else security_warning(port);
}
else audit(AUDIT_LISTEN_NOT_VULN, "Oracle GlassFish", port, pristine);