edit-icon download-icon

[Vulnerability notice] Arbitrary file access vulnerability in GlassFish

Last Updated: Nov 14, 2017

Description

GlassFish is the reference implementation of Java EE that allows developers to create enterprise applications that are portable and scalable, and that integrate with legacy technologies.

GlassFish has an arbitrary file access vulnerability that can be exploited by attackers to read any file in the server.

Fix

  • Disable remote management to only allow local access. Users will be prompted to enter the user name and password for local access. This setting is recommended for the development environment or the environment requiring high server security.

    Note: After modifying the settings, restart the GlassFish service.

    • For Linux environment:

      1. ./asadmin change-admin-password
      2. ./asadmin disable-secure-admin
      3. ./asadmin stop-domain
      4. ./asadmin start-domain
    • For Windows environment:

      1. asadmin.bat change-admin-password
      2. asadmin.bat disable-secure-admin
      3. asadmin.bat stop-domain
      4. asadmin.bat start-domain
  • Disable web.xml theme mapping.

    1. Modify \glassfish4\glassfish\lib\install\applications\__admingui\WEB-INF\web.xml.
    2. Restart GlassFish to bring the changes into effect.
Thank you! We've received your feedback.