Win a copy of Cross-Platform Desktop Applications: Using Node, Electron, and NW.js this week in the JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Where can I find Glassfish 3.1.2.9?  RSS feed

 
James Cignarella
Greenhorn
Posts: 3
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am currently running the open source version of Glassfish 3.1.2.2. A recent Nessus security scan of the web server revealed the high risk vulnerability report below.

The recommendation is to update Glassfish to 3.1.2.9. However, I cannot find any link to download a 3.x version later than 3.1.2.2 from either the Glassfish open source project or Oracle.

Does anyone know where I can download Glassfish 3.1.2.9?

I cannot move to Glassfish 4.x as my JSF/ICEfaces 3.x application won't currently run with the JSF 2.2 libraries in Glassfish 4.

Thanks in advance!

-----------------

76591 - Oracle GlassFish Server Multiple Vulnerabilities (July 2014 CPU) [-/+]

Solution
Upgrade to GlassFish Server 2.1.1.24 / 3.0.1.9 / 3.1.2.9 or later.Risk Factor
HighCVSS Base Score


Synopsis
The remote web server is affected by multiple vulnerabilities.Description
The version of GlassFish Server running on the remote host is affected by multiple vulnerabilities in the following components :

- The implementation of Network Security Services (NSS) does not ensure that data structures are initialized, which could result in a denial of service or disclosure of sensitive information. (CVE-2013-1739)

- The implementation of Network Security Services (NSS) does not properly handle the TLS False Start feature and could allow man-in-the-middle attacks.
(CVE-2013-1740)

- NSS contains an integer overflow flaw that allows remote attackers to cause a denial of service.
(CVE-2013-1741)

- An error exists in the 'Null_Cipher' function in the file 'ssl/ssl3con.c' related to handling invalid handshake packets that could allow arbitrary code execution. (CVE-2013-5605)

- An error exists in the 'CERT_VerifyCert' function in the file 'lib/certhigh/certvfy.c' that could allow invalid certificates to be treated as valid.
(CVE-2013-5606)

- Oracle Mojarra contains a cross-site scripting vulnerability due to improperly sanitized user-supplied input. This allows an attacker to execute arbitrary script code within the context of the affected site. (CVE-2013-5855)

- Errors exist related to the included Network Security Services (NSS) libraries, 'NewSessionTicket'
handshakes, and public Diffie-Hellman values that allow application crashes and possibly arbitrary code execution. (CVE-2014-1490, CVE-2014-1491)

- An issue exists in the Network Security (NSS) library due to improper handling of IDNA domain prefixes for wildcard certificates. This issue allows man-in- the-middle attacks. (CVE-2014-1492)See Also
http://www.nessus.org/u?7de2f8eb

 
Cyril Bouteille
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have the same issue but the link doesn't seem to work (anymore?). Is there a new one?
 
James Cignarella
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The Glassfish 3.1.2.9 patch referenced by Nessus seems to only be available via Oracle. I was unable to find any equivalent for the open source version.

Unfortunately getting the patch seems to require paid support from Oracle. Also, the patch needs to be applied via UpdateTool and the process was quite convoluted.

More info here:
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

 
Cyril Bouteille
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I guess the link I saw was not a reply but just an ad at the end of the thread that looked like one. Nice UX coderanch...

How much did it cost to get support?

 
James Cignarella
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think support is fairly expensive (like $50K/yr). Our organization has a support license for other Oracle products which has patch download privilege so we were able to leverage this.

Perhaps follow up with Oracle and see what is needed to access the Support site for this patch download privilege. Maybe you don't need full-blown Glassfish support.

Good luck!
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!