Security Fixes Summary

The following is a list of tracked Common Vulnerabilities and Exposures that have been reported and analyzed, which can or have impacted Payara Server across releases:

ID CVSS v3.0 Base Score Status Summary Release Pull Requests Observations

CVE-2021-42392

N/A

N/A

Unauthenticated RCE in H2 Database Console

Doesn’t affect Payara Platform. The Payara Platform doesn’t launch the H2 Database Console and doesn’t make it available in any way.

CVE-2021-40690

7.5

FIXED

The "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element, allowing abuse of an XPath Transform to extract any local .xml files in a RetrievalMethod element.

5.2021.10

#5505

Fixed by upgrading Apache Santuario to 2.2.3

CVE-2018-10054

6.5

FIXED

Remote code execution vulnerability in H2 DB because CREATE ALIAS can execute arbitrary Java code

5.2021.8

#5416

Fixed by upgrading H2 DB to 1.4.200

CVE-2018-14335

4.0

FIXED

Insecure handling of permissions in the backup function of the H2 DB

5.2021.8

#5416

Fixed by upgrading H2 DB to 1.4.200

CVE-2021-41381

5.3

FIXED

Improper Limitation of a pathname to a restricted directory (exposes an application to "Path Traversal") when context root is /

5.2021.7

#5396

Recommended to immediately upgrade to this release if any of your applications is deployed on the / context root on Payara Server or Payara Micro

CVE-2021-28170

5.3

FIXED

A bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid

5.2021.5

el-ri #160

Fixed by backporting a fix from the latest Jakarta Expression Language snapshot version

CVE-2020-10693

5.3

FIXED

A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls.

5.2020.7

#4977

Fixed by upgrading Hibernate Validator to 6.1.5

CVE-2019-17195

9.8

FIXED

Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass.

5.2020.5

#4843

Fixed by upgrading Nimbus JOSE+JWT to 8.20

CVE-2020-6950

7.5

FIXED

Eclipse Mojarra vulnerable to path trasversal flaw via either loc/con parameters

5.201

#4492

Fixed by upgrading Mojarra to 2.3.14

CVE-2019-12086

7.5

FIXED

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9

5.193, 5.192.1, 5.191.4

#4004

CVE-2018-14721

10.0

FIXED

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks

5.191, 5.184.1, 5.181.10, 4.1.2.191, 4.1.2.184.1, 4.1.2.181.10

#3461, #3513

Fixed in FasterXML Jackson 2.9.7, component updated

CVE-2018-14720

9.8

FIXED

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct external XML entity (XXE) attacks

5.191, 5.184.1, 5.181.10, 4.1.2.191, 4.1.2.184.1, 4.1.2.181.10

#3461, #3513

Fixed in FasterXML Jackson 2.9.7, component updated

CVE-2018-14719

9.8

FIXED

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code

5.191, 5.184.1, 5.181.10, 4.1.2.191, 4.1.2.184.1, 4.1.2.181.10

#3461, #3513

Fixed in FasterXML Jackson 2.9.7, component updated

CVE-2018-14718

9.8

FIXED

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code

5.191, 5.184.1, 5.181.10, 4.1.2.191, 4.1.2.184.1, 4.1.2.181.10

#3461, #3513

Fixed in FasterXML Jackson 2.9.7, component updated

CVE-2018-14371

7.5

FIXED

Eclipse Mojarra before 2.3.7 is affected by Directory Traversal via the loc parameter.

5.191, 5.184.1, 5.181.10

#3687

Fixed in Eclipse Mojarra 2.3.9, component updated

CVE-2018-7489

9.8

FIXED

Default typing issue in Jackson Databind

4.1.2.181.3, 4.1.2.182, 5.181.3, 5.182

#2628

Fixed in Jackson Databind 2.9.5, component updated

CVE-2017-12616

7.5

N/A

Apache Tomcat security constraint bypass and VirtualDirContext vulnerability

Unrelated to Payara Server

CVE-2017-12615

8.1

FIXED

Apache Tomcat vulnerability on Windows allowed for remote code execution via crafted PUT requests to JSPs

4.1.2.174

#2023

Fixed in Apache Tomcat, ported to Payara Server

CVE-2016-1000031

9.8

FIXED

Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution

4.1.2.173

#1776

CVE-2017-3239

3.3

FIXED

Oracle GlassFish Server Local Security Vulnerability

4.1.2.173

#1717

Fixed in GlassFish 5 code, ported to Payara Server

CVE-2017-3247

4.3

FIXED

Oracle GlassFish Server Remote Security Vulnerability

4.1.2.173

#1717

Fixed in GlassFish 5 code, ported to Payara Server

CVE-2017-3249

7.3

FIXED

Oracle GlassFish Server Remote Security Vulnerability

4.1.2.173

#1712

Fixed in GlassFish 5 code, ported to Payara Server

CVE-2017-3250

7.3

FIXED

Oracle GlassFish Server Remote Security Vulnerability

4.1.2.173

#1712

Fixed in GlassFish 5 code, ported to Payara Server

CVE-2016-5528

9.0

FIXED

Oracle GlassFish Server Remote Security Vulnerability

4.1.2.173

#1712

Fixed in GlassFish 5 code, ported to Payara Server

CVE-2016-5519

8.8

N/A

Oracle GlassFish Server vulnerability in Oracle Fusion Middleware

Affects an older version of GlassFish but not Payara Server

CVE-2007-6726

N/A (V2: 4.3)

FIXED

XSS Vulnerabilities in Dojo libraries used for admin console

4.1.1.163

#35, #978, #979

CVE-2012-2098

N/A (V2: 5.0)

FIXED

Apache Commons Compress bzip2 vulnerability allows DDoS attacks

4.1.1.163

#799, #931, #1005, #1006

CVE-2013-2035

N/A (V2: 4.4)

FIXED

Race condition in outdated jLine code allows arbitrary code execution

4.1.1.171

#931, #1005, #1006, #839, #841, #840

CVE-2014-0050

N/A (V2: 7.5)

FIXED

Apache Commons FileUpload allows DDoS attacks via crafted Content-Type headers

4.1.1.154.1

#560

CVE-2015-0254

N/A (V2: 7.5)

N/A

Vulnerabilities on Apache JSTL allows arbitrary code injection

Payara Server uses the FEATURE_SECURE_PROCESSING feature of JAXP so is not affected

CVE-2015-3237

N/A (V2: 6.4)

N/A

Vulnerabilities in smb_request_state function in cURL

Payara Server doesn’t ship with either cURL or licurl so it’s not affected

CVE-2015-5346

8.1

N/A

Apache Tomcat Vulnerability in session recycling for SSL requests

Payara Server implementation of the Request class doesn’t contain the problematic variable being recycled

CVE-2015-5351

8.8

N/A

Apache Tomcat Manager Applications Session and CSRF token vulnerabilities

Unrelated to Payara Server since this affects specific Tomcat applications

CVE-2016-0706

4.3

N/A

Apache Tomcat Vulnerability on StatusManagerServlet component allows reads of HTTP requests and discover session IDs

Payara Server doesn’t use the StatusManagerServlet component so it’s not affected

CVE-2016-0714

8.8

N/A

Session persistence in Apache Tomcat allows arbitrary code injection

Payara Server doesn’t use the affected objects in the same way that Tomcat does so the flaw is not present

CVE-2016-0763

6.3

FIXED

Vulnerability in ResourceLinkFactory.setGlobalContext method on Apache Tomcat

4.1.1.164.1

#1210

CVE-2016-3092

7.5

FIXED

Apache Commons FileUpload allows DDoS attacks via Multipart class

4.1.1.163

#953

CVE-2016-3427

9.0

FIXED

Unspecified vulnerability in various versions of the Oracle JDK and JRockit

4.1.1.164.1

#1209

CVE-2016-3607

9.8

FIXED

Unspecified vulnerability on Oracle GlassFish 3.0+ affects confidentiality

4.1.1.163

#1029, #1031, #1011

CVE-2016-3608

5.8

N/A

Unspecified vulnerability on Oracle GlassFish 3.0.1 affects confidentiality

Affects an older version of GlassFish but not Payara Server

CVE-2016-5388

8.1

FIXED

Apache Tomcat does not protect applications from untrusted data when using the CGI Servlet

4.1.1.163.1

#1051

CVE-2016-5477

5.8

N/A

Unspecified vulnerability on Oracle GlassFish 3.0.1 affects confidentiality

Affects an older version of GlassFish but not Payara Server

CVE-2016-5519

8.8

PENDING

Unspecified vulnerability on JSF implementation for Oracle Glassfish 3.0+

Pending for assesment

CVE-2016-6816

7.1

N/A

Apache Tomcat HTTP request parsing vulnerability allow injection of data into reponse

Payara Server doesn’t have included the Coyote components affected

CVE-2017-1000028

7.5

FIXED

Oracle, GlassFish Server Open Source Edition 4.1 is vulnerable to both authenticated and unauthenticated Directory Traversal vulnerability, that can be exploited by issuing a specially crafted HTTP GET request.

4.1.1.161

#632

Fixed by patching Woodstock

Additionally, here are is a list of non-CVE vulnerabilities reported and analyzed as well:

Reference Status Summary Release Pull Requests Observations

Payara Enterprise Support Ticket

FIXED

Vulnerability in Metro’s WSDL Code Importing/Parsing - Remote Code Execution

5.2021.3

[#5198]

Recommended to immediately upgrade to this release if using any JAX-WS features in applications deployed in public-facing environments.

OWASP Docs

FIXED

Web administration console is vulnerable against clickjacking/UI redress attacks.

4.1.2.174

#2097

Payara Support Ticket

FIXED

Under some circumstances authenticated caller/user identities get confused.

4.1.1.171.11

#2493

Payara Support Ticket

FIXED

CORBA security context gets corrupted under certain conditions

4.1.2.181.2, 4.1.2.182, 5.182

#2493