[GLASSFISH-17287] [UB]General Vulnerability Assessment -> NonIntrusive -> Web Server Created: 12/Sep/11  Updated: 15/Mar/13

Status: Open
Project: glassfish
Component/s: docs
Affects Version/s: v3.0.1
Fix Version/s: v3.0.1

Type: Bug Priority: Major
Reporter: fraggie Assignee: Paul Davies
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Solaris 10, SPARC and X86


Tags: Assessment, General, Glassfish, Security, Vulnerability

 Description   

The following security flaw has been identidfied:

http://www.mcafee.com/us/resources/release-notes/foundstone/fsl_05_11_2011.pdf11907 - Oracle Sun Products Suite Glassfish Denial Of Service

Category: General Vulnerability Assessment -> NonIntrusive -> Web Server

Risk Level: High

CVE: CVE-2011-0807

DISA IAVA: 2011-A-0054

Description

A denial of service vulnerability is present in some versions of Oracle Sun GlassFish Enterprise Server and Sun Java System

Application Server.

Observation

A denial of service vulnerability is present in some versions of Oracle Sun GlassFish Enterprise Server and Sun Java System

Application Server.

Oracle Sun GlassFish Enterprise Server 2.1, 2.1.1, and 3.0.1, and Sun Java System Application Server 9.1 are prone to a

unspecified vulnerability related to Administration. Successful exploitation could allow an attacker to cause a denial of service

This may be already fixed, but is not evident in the latest release notes:

Glassfish 3.1 release note: http://java.net/jira/secure/ReleaseNote.jspa?projectId=10231&version=10968

Glassfish 3.1.1 release note: http://glassfish.java.net/docs/3.1/release-notes.pdf



 Comments   
Comment by Shing Wai Chan [ 12/Sep/11 ]

From http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0807 , we have

Unspecified vulnerability in Oracle Sun GlassFish Enterprise Server 2.1, 2.1.1, and 3.0.1, and Sun Java System Application Server 9.1, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Administration.

I have confirmed from admin team that this has been fixed in 3.1 and 3.1.1.

Comment by fraggie [ 13/Sep/11 ]

Hi Shing Wai Chan,

Thank you for that and the prompt reply, much appreciated.

One last thing, would it be possible for you to highlight where is states in the release notes that this has been fixed?

(Just for our records).

Regards,
Dónal

Comment by Bhakti Mehta [ 14/Oct/11 ]

Assigning to Shingwai for more input on the submitter's question

Comment by Anissa Lam [ 18/Oct/11 ]

As stated above, the bug exists in
Oracle Sun GlassFish Enterprise Server 2.1, 2.1.1, and 3.0.1, and Sun Java System Application Server 9.1
but not in v3.1 and 3.1.1.

3.1 and 3.1.1 ships before the bug was discovered/reported, thus the release notes of those release doesn't mention about that.

I am transferring this to doc. If they think this should be mentioned in the release note of next release, they can add that in.

Comment by Rebecca Parks [ 12/Dec/11 ]

It sounds to me like it's the Release Notes for 3.1/3.1.1 that need to be fixed. It's too bad I didn't look at this bug sooner, I just updated the 3.1/3.1.1 Release Notes. I think I can get this added for the next patch, scheduled for 1/13/12.

If it's added to the 3.1/3.1.1 Release Notes, it seems to me that it doesn't need to be in the 3.1.2 Release Notes as well, but I'd like to hear other opinions.

Comment by Rebecca Parks [ 04/Jan/12 ]

I checked with the doc team, and it is unfixed bugs that appear in the Release Notes, not fixed ones. So this would go in the SGES 2.1.1, SGCS 2.0, and OGS 3.0.1 Release Notes. I am currently updating the 2.1.1/2.0 Release Notes, so I will retarget this bug to 3.0.1.

Comment by Tom Mueller [ 06/Mar/12 ]

Bulk update to change fix version to "not determined" for all issues still open but with a fix version for a released version.

Comment by Rebecca Parks [ 06/Mar/12 ]

Changed the fix version back to 3.0.1. This needs to be added to the 3.0.1 Release Notes at the next patch update.

Comment by Tom Mueller [ 07/Mar/12 ]

Bulk update to set Fix Version to "not determined" for issues that had it set to a version that has already been released.

Comment by Rebecca Parks [ 07/Mar/12 ]

Please don't make me do this AGAIN.

Comment by Mike Fitch [ 16/Feb/13 ]

As this applies to unbundled documentation, moving to 4.0.1

Comment by Mike Fitch [ 15/Mar/13 ]

Changed fix version to 3.0.1 as per Rebecca's comment of 06/Mar/12 10:41 PM:

Changed the fix version back to 3.0.1. This needs to be added to the 3.0.1 Release Notes at the next patch update.





Generated at Mon Aug 31 00:47:59 UTC 2015 using JIRA 6.2.3#6260-sha1:63ef1d6dac3f4f4d7db4c1effd405ba38ccdc558.