Vulnerabilities > CVE-2016-0453 - Remote Security vulnerability in Oracle Fusion Middleware 3.1.2

047910
CVSS 1.8 - LOW
Attack vector
ADJACENT_NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
high complexity
oracle
nessus

Summary

Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 3.1.2 allows remote attackers to affect integrity via unknown vectors related to Embedded Server.

Vulnerable Configurations

Part Description Count
Application
Oracle
1

Nessus

NASL familyWeb Servers
NASL idGLASSFISH_CPU_JAN_2016.NASL
descriptionThe version of Oracle GlassFish Server running on the remote host is affected by multiple vulnerabilities due to unspecified flaws related to the Embedded Server subcomponent. A remote attacker can exploit these to impact availability, integrity, and confidentiality. No further details have been provided by the vendor.
last seen2020-06-01
modified2020-06-02
plugin id88022
published2016-01-20
reporterThis script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/88022
titleOracle GlassFish Embedded Server Vulnerabilities (January 2016 CPU)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(88022);
  script_version("1.9");
  script_cvs_date("Date: 2018/11/15 20:50:25");

  script_cve_id("CVE-2016-0441", "CVE-2016-0453");

  script_name(english:"Oracle GlassFish Embedded Server Vulnerabilities (January 2016 CPU)");
  script_summary(english:"Checks the version of Oracle GlassFish.");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by multiple unspecified
vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Oracle GlassFish Server running on the remote host is
affected by multiple vulnerabilities due to unspecified flaws related
to the Embedded Server subcomponent. A remote attacker can exploit
these to impact availability, integrity, and confidentiality. No
further details have been provided by the vendor.");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Oracle GlassFish Server version 3.1.2.14 or later as
referenced in the January 2016 Oracle Critical Patch Update advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:S/C:C/I:C/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  # http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d13bbe45");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/01/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/01/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/01/20");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:glassfish_server");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("glassfish_detect.nasl");
  script_require_keys("www/glassfish");

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("audit.inc");
include("glassfish.inc");

#
# Main
#

# Check for GlassFish
get_kb_item_or_exit('www/glassfish');

port = get_glassfish_port(default:8080);

# Get the version number out of the KB.
ver = get_kb_item_or_exit("www/" + port + "/glassfish/version");
banner = get_kb_item_or_exit("www/" + port + "/glassfish/source");
pristine = get_kb_item_or_exit("www/" + port + "/glassfish/version/pristine");

# Set appropriate fixed versions.
if (ver =~ "^3\.1\.2") fix = "3.1.2.14";

if (ver_compare(ver:ver, fix:fix, strict:FALSE) < 0)
{
  if (report_verbosity > 0)
  {
    report =
      '\n  Version source    : ' + banner +
      '\n  Installed version : ' + pristine +
      '\n  Fixed version     : ' + fix +
      '\n';
    security_warning(port:port, extra:report);
  }
  else security_warning(port);
}
else audit(AUDIT_LISTEN_NOT_VULN, "Oracle GlassFish", port, pristine);