This vulnerability was discovered and researched by Francisco Falcon from Core Security Technologies.
![glassfish 4.1.1 glassfish 4.1.1](http://wnfx.ru/wp-content/uploads/2017/07/rest_ws_glassfish_configure_jdk_step_2.jpg)
Finally, restart GlassFish by doing C:\glassfishv3\bin>asadmin restart-domainĪfter following these steps, when executing the PoC included in this advisory, the webserver should respond: 405 TRACE method is not allowed headers =.There is a checkbox "Trace: Enable TRACE operation" (checked by default) uncheck it and then save changes.Navigate through: Network Config > Protocols > admin-listener > HTTP.In the GlassFish Admin Console, go to the Tasks tree.
#Glassfish 4.1.1 upgrade
As a policy, Oracle does not provide workarounds unless they can be easily applied by every customer.įor users who cannot upgrade to the latest patched version, the following workaround can be applied in order to avoid this flaw: Oracle also notifies that patches for previous versions will be available in July, 2011. Oracle notifies that GlassFish Server 3.1 was released in March 2011 and was fixed before release, so it is not affected. Vendor Information, Solutions and Workarounds
![glassfish 4.1.1 glassfish 4.1.1](https://4.bp.blogspot.com/-KgGONWNVzQE/XDi5X906zKI/AAAAAAAAFSM/bMmeekaka1AS70Jabr5Pl8O8moI9AxmDwCLcBGAs/s400/4.jpg)
The Administration Console of Oracle GlassFish Server, which is listening by default on port 4848/TCP, is prone to an authentication bypass vulnerability. It provides a small footprint, fully featured Java EE application server that is completely supported for commercial deployment and is available as a standalone offering. Vulnerability InformationĬlass: Authentication Bypass Issues īuilt using the GlassFish Server Open Source Edition, Oracle GlassFish Server delivers a flexible, lightweight and extensible Java EE 6 platform. Title: Oracle GlassFish Server Administration Console Authentication Bypass