Security Fixes Summary
The following is a list of tracked Common Vulnerabilities and Exposures that have been reported and analyzed, which can or have impacted Payara Server across releases:
ID | Status | Summary | Release | Pull Requests | Observations |
---|---|---|---|---|---|
N/A |
Apache Tomcat security constraint bypass and VirtualDirContext vulnerability |
Unrelated to Payara Server |
|||
FIXED |
Apache Tomcat vulnerability on Windows allowed for remote code execution via crafted PUT requests to JSPs |
4.1.2.174 |
Fixed in Apache Tomcat, ported to Payara Server |
||
FIXED |
Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution |
4.1.2.173 |
|||
FIXED |
Oracle GlassFish Server Local Security Vulnerability |
4.1.2.173 |
Fixed in GlassFish 5 code, ported to Payara Server |
||
FIXED |
Oracle GlassFish Server Remote Security Vulnerability |
4.1.2.173 |
Fixed in GlassFish 5 code, ported to Payara Server |
||
FIXED |
Oracle GlassFish Server Remote Security Vulnerability |
4.1.2.173 |
Fixed in GlassFish 5 code, ported to Payara Server |
||
FIXED |
Oracle GlassFish Server Remote Security Vulnerability |
4.1.2.173 |
Fixed in GlassFish 5 code, ported to Payara Server |
||
FIXED |
Oracle GlassFish Server Remote Security Vulnerability |
4.1.2.173 |
Fixed in GlassFish 5 code, ported to Payara Server |
||
N/A |
Oracle GlassFish Server vulnerability in Oracle Fusion Middleware |
Affects an older version of GlassFish but not Payara Server |
|||
FIXED |
XSS Vulnerabilities in Dojo libraries used for admin console |
4.1.1.163 |
|||
FIXED |
Apache Commons Compress bzip2 vulnerability allows DDoS attacks |
4.1.1.163 |
|||
FIXED |
Race condition in outdated jLine code allows arbitrary code execution |
4.1.1.171 |
|||
FIXED |
Apache Commons FileUpload allows DDoS attacks via crafted |
4.1.1.154.1 |
|||
N/A |
Vulnerabilities on Apache JSTL allows arbitrary code injection |
Payara Server uses the |
|||
N/A |
Vulnerabilities in smb_request_state function in cURL |
Payara Server doesn’t ship with either cURL or licurl so it’s not affected |
|||
N/A |
Apache Tomcat Vulnerability in session recycling for SSL requests |
Payara Server implementation of the Request class doesn’t contain the problematic variable being recycled |
|||
N/A |
Apache Tomcat Manager Applications Session and CSRF token vulnerabilities |
Unrelated to Payara Server since this affects specific Tomcat applications |
|||
N/A |
Apache Tomcat Vulnerability on |
Payara Server doesn’t use the |
|||
N/A |
Session persistence in Apache Tomcat allows arbitrary code injection |
Payara Server doesn’t use the affected objects in the same way that Tomcat does so the flaw is not present |
|||
FIXED |
Vulnerability in |
4.1.1.164.1 |
|||
FIXED |
Apache Commons FileUpload allows DDoS attacks via |
4.1.1.163 |
|||
FIXED |
Unspecified vulnerability in various versions of the Oracle JDK and JRockit |
4.1.1.164.1 |
|||
FIXED |
Unspecified vulnerability on Oracle GlassFish 3.0+ affects confidentiality |
4.1.1.163 |
|||
N/A |
Unspecified vulnerability on Oracle GlassFish 3.0.1 affects confidentiality |
Affects an older version of GlassFish but not Payara Server |
|||
FIXED |
Apache Tomcat does not protect applications from untrusted data when using the CGI Servlet |
4.1.1.163.1 |
|||
N/A |
Unspecified vulnerability on Oracle GlassFish 3.0.1 affects confidentiality |
Affects an older version of GlassFish but not Payara Server |
|||
PENDING |
Unspecified vulnerability on JSF implementation for Oracle Glassfish 3.0+ |
Pending for assesment |
|||
N/A |
Apache Tomcat HTTP request parsing vulnerability allow injection of data into reponse |
Payara Server doesn’t have included the Coyote components affected |
Additionally, here are is a list of non-CVE vulnerabilities reported and analyzed as well:
Reference | Status | Summary | Release | Pull Requests | Observations |
---|---|---|---|---|---|
FIXED |
Web administration console is vulnerable against clickjacking/UI redress attacks. |
4.1.2.174 |
|||
Payara Support Ticket |
FIXED |
Under some circumstances authenticated caller/user identities get confused. |
4.1.1.171.11 |