Security Fixes Summary

The following is a list of tracked Common Vulnerabilities and Exposures that have been reported and analyzed, which can or have impacted Payara Server across releases:

ID Status Summary Release Pull Requests Observations

CVE-2018-7489

FIXED

Default typing issue in Jackson Databind

4.1.2.181.3, 4.1.2.182, 5.181.3, 5.182

#2628

Fixed in Jackson Databind 2.9.5, component updated

CVE-2017-12616

N/A

Apache Tomcat security constraint bypass and VirtualDirContext vulnerability

Unrelated to Payara Server

CVE-2017-12615

FIXED

Apache Tomcat vulnerability on Windows allowed for remote code execution via crafted PUT requests to JSPs

4.1.2.174

#2023

Fixed in Apache Tomcat, ported to Payara Server

CVE-2016-1000031

FIXED

Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution

4.1.2.173

#1776

CVE-2017-3239

FIXED

Oracle GlassFish Server Local Security Vulnerability

4.1.2.173

#1717

Fixed in GlassFish 5 code, ported to Payara Server

CVE-2017-3247

FIXED

Oracle GlassFish Server Remote Security Vulnerability

4.1.2.173

#1717

Fixed in GlassFish 5 code, ported to Payara Server

CVE-2017-3249

FIXED

Oracle GlassFish Server Remote Security Vulnerability

4.1.2.173

#1712

Fixed in GlassFish 5 code, ported to Payara Server

CVE-2017-3250

FIXED

Oracle GlassFish Server Remote Security Vulnerability

4.1.2.173

#1712

Fixed in GlassFish 5 code, ported to Payara Server

CVE-2016-5528

FIXED

Oracle GlassFish Server Remote Security Vulnerability

4.1.2.173

#1712

Fixed in GlassFish 5 code, ported to Payara Server

CVE-2016-5519

N/A

Oracle GlassFish Server vulnerability in Oracle Fusion Middleware

Affects an older version of GlassFish but not Payara Server

CVE-2007-6726

FIXED

XSS Vulnerabilities in Dojo libraries used for admin console

4.1.1.163

#35, #978, #979

CVE-2012-2098

FIXED

Apache Commons Compress bzip2 vulnerability allows DDoS attacks

4.1.1.163

#799, #931, #1005, #1006

CVE-2013-2035

FIXED

Race condition in outdated jLine code allows arbitrary code execution

4.1.1.171

#931, #1005, #1006, #839, #841, #840

CVE-2014-0050

FIXED

Apache Commons FileUpload allows DDoS attacks via crafted Content-Type headers

4.1.1.154.1

#560

CVE-2015-0254

N/A

Vulnerabilities on Apache JSTL allows arbitrary code injection

Payara Server uses the FEATURE_SECURE_PROCESSING feature of JAXP so is not affected

CVE-2015-3237

N/A

Vulnerabilities in smb_request_state function in cURL

Payara Server doesn’t ship with either cURL or licurl so it’s not affected

CVE-2015-5346

N/A

Apache Tomcat Vulnerability in session recycling for SSL requests

Payara Server implementation of the Request class doesn’t contain the problematic variable being recycled

CVE-2015-5351

N/A

Apache Tomcat Manager Applications Session and CSRF token vulnerabilities

Unrelated to Payara Server since this affects specific Tomcat applications

CVE-2016-0706

N/A

Apache Tomcat Vulnerability on StatusManagerServlet component allows reads of HTTP requests and discover session IDs

Payara Server doesn’t use the StatusManagerServlet component so it’s not affected

CVE-2016-0714

N/A

Session persistence in Apache Tomcat allows arbitrary code injection

Payara Server doesn’t use the affected objects in the same way that Tomcat does so the flaw is not present

CVE-2016-0763

FIXED

Vulnerability in ResourceLinkFactory.setGlobalContext method on Apache Tomcat

4.1.1.164.1

#1210

CVE-2016-3092

FIXED

Apache Commons FileUpload allows DDoS attacks via Multipart class

4.1.1.163

#953

CVE-2016-3427

FIXED

Unspecified vulnerability in various versions of the Oracle JDK and JRockit

4.1.1.164.1

#1209

CVE-2016-3607

FIXED

Unspecified vulnerability on Oracle GlassFish 3.0+ affects confidentiality

4.1.1.163

#1029, #1031, #1011

CVE-2016-3608

N/A

Unspecified vulnerability on Oracle GlassFish 3.0.1 affects confidentiality

Affects an older version of GlassFish but not Payara Server

CVE-2016-5388

FIXED

Apache Tomcat does not protect applications from untrusted data when using the CGI Servlet

4.1.1.163.1

#1051

CVE-2016-5477

N/A

Unspecified vulnerability on Oracle GlassFish 3.0.1 affects confidentiality

Affects an older version of GlassFish but not Payara Server

CVE-2016-5519

PENDING

Unspecified vulnerability on JSF implementation for Oracle Glassfish 3.0+

Pending for assesment

CVE-2016-6816

N/A

Apache Tomcat HTTP request parsing vulnerability allow injection of data into reponse

Payara Server doesn’t have included the Coyote components affected

Additionally, here are is a list of non-CVE vulnerabilities reported and analyzed as well:

Reference Status Summary Release Pull Requests Observations

OWASP Docs

FIXED

Web administration console is vulnerable against clickjacking/UI redress attacks.

4.1.2.174

#2097

Payara Support Ticket

FIXED

Under some circumstances authenticated caller/user identities get confused.

4.1.1.171.11

#2493

Payara Support Ticket

FIXED

CORBA security context gets corrupted under certain conditions

4.1.2.181.2, 4.1.2.182, 5.182

#2493