Security Fixes Summary
The following is a list of tracked Common Vulnerabilities and Exposures that have been reported and analyzed, which can or have impacted Payara Server across releases:
ID | CVSS v3.0 Base Score | Status | Summary | Release | Pull Requests | Observations |
---|---|---|---|---|---|---|
N/A |
N/A |
Unauthenticated RCE in H2 Database Console |
Doesn’t affect Payara Platform. The Payara Platform doesn’t launch the H2 Database Console and doesn’t make it available in any way. |
|||
7.5 |
FIXED |
The "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element, allowing abuse of an XPath Transform to extract any local .xml files in a RetrievalMethod element. |
5.2021.10 |
Fixed by upgrading Apache Santuario to 2.2.3 |
||
6.5 |
FIXED |
Remote code execution vulnerability in H2 DB because CREATE ALIAS can execute arbitrary Java code |
5.2021.8 |
Fixed by upgrading H2 DB to 1.4.200 |
||
4.0 |
FIXED |
Insecure handling of permissions in the backup function of the H2 DB |
5.2021.8 |
Fixed by upgrading H2 DB to 1.4.200 |
||
5.3 |
FIXED |
Improper Limitation of a pathname to a restricted directory (exposes an application to "Path Traversal") when context root is / |
5.2021.7 |
Recommended to immediately upgrade to this release if any of your applications is deployed on the / context root on Payara Server or Payara Micro |
||
5.3 |
FIXED |
A bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid |
5.2021.5 |
Fixed by backporting a fix from the latest Jakarta Expression Language snapshot version |
||
5.3 |
FIXED |
A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls. |
5.2020.7 |
Fixed by upgrading Hibernate Validator to 6.1.5 |
||
9.8 |
FIXED |
Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass. |
5.2020.5 |
Fixed by upgrading Nimbus JOSE+JWT to 8.20 |
||
7.5 |
FIXED |
Eclipse Mojarra vulnerable to path trasversal flaw via either loc/con parameters |
5.201 |
Fixed by upgrading Mojarra to 2.3.14 |
||
7.5 |
FIXED |
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9 |
5.193, 5.192.1, 5.191.4 |
|||
10.0 |
FIXED |
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks |
5.191, 5.184.1, 5.181.10, 4.1.2.191, 4.1.2.184.1, 4.1.2.181.10 |
Fixed in FasterXML Jackson 2.9.7, component updated |
||
9.8 |
FIXED |
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct external XML entity (XXE) attacks |
5.191, 5.184.1, 5.181.10, 4.1.2.191, 4.1.2.184.1, 4.1.2.181.10 |
Fixed in FasterXML Jackson 2.9.7, component updated |
||
9.8 |
FIXED |
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code |
5.191, 5.184.1, 5.181.10, 4.1.2.191, 4.1.2.184.1, 4.1.2.181.10 |
Fixed in FasterXML Jackson 2.9.7, component updated |
||
9.8 |
FIXED |
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code |
5.191, 5.184.1, 5.181.10, 4.1.2.191, 4.1.2.184.1, 4.1.2.181.10 |
Fixed in FasterXML Jackson 2.9.7, component updated |
||
7.5 |
FIXED |
Eclipse Mojarra before 2.3.7 is affected by Directory Traversal via the loc parameter. |
5.191, 5.184.1, 5.181.10 |
Fixed in Eclipse Mojarra 2.3.9, component updated |
||
9.8 |
FIXED |
Default typing issue in Jackson Databind |
4.1.2.181.3, 4.1.2.182, 5.181.3, 5.182 |
Fixed in Jackson Databind 2.9.5, component updated |
||
7.5 |
N/A |
Apache Tomcat security constraint bypass and VirtualDirContext vulnerability |
Unrelated to Payara Server |
|||
8.1 |
FIXED |
Apache Tomcat vulnerability on Windows allowed for remote code execution via crafted PUT requests to JSPs |
4.1.2.174 |
Fixed in Apache Tomcat, ported to Payara Server |
||
9.8 |
FIXED |
Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution |
4.1.2.173 |
|||
3.3 |
FIXED |
Oracle GlassFish Server Local Security Vulnerability |
4.1.2.173 |
Fixed in GlassFish 5 code, ported to Payara Server |
||
4.3 |
FIXED |
Oracle GlassFish Server Remote Security Vulnerability |
4.1.2.173 |
Fixed in GlassFish 5 code, ported to Payara Server |
||
7.3 |
FIXED |
Oracle GlassFish Server Remote Security Vulnerability |
4.1.2.173 |
Fixed in GlassFish 5 code, ported to Payara Server |
||
7.3 |
FIXED |
Oracle GlassFish Server Remote Security Vulnerability |
4.1.2.173 |
Fixed in GlassFish 5 code, ported to Payara Server |
||
9.0 |
FIXED |
Oracle GlassFish Server Remote Security Vulnerability |
4.1.2.173 |
Fixed in GlassFish 5 code, ported to Payara Server |
||
8.8 |
N/A |
Oracle GlassFish Server vulnerability in Oracle Fusion Middleware |
Affects an older version of GlassFish but not Payara Server |
|||
N/A (V2: 4.3) |
FIXED |
XSS Vulnerabilities in Dojo libraries used for admin console |
4.1.1.163 |
|||
N/A (V2: 5.0) |
FIXED |
Apache Commons Compress bzip2 vulnerability allows DDoS attacks |
4.1.1.163 |
|||
N/A (V2: 4.4) |
FIXED |
Race condition in outdated jLine code allows arbitrary code execution |
4.1.1.171 |
|||
N/A (V2: 7.5) |
FIXED |
Apache Commons FileUpload allows DDoS attacks via crafted |
4.1.1.154.1 |
|||
N/A (V2: 7.5) |
N/A |
Vulnerabilities on Apache JSTL allows arbitrary code injection |
Payara Server uses the |
|||
N/A (V2: 6.4) |
N/A |
Vulnerabilities in smb_request_state function in cURL |
Payara Server doesn’t ship with either cURL or licurl so it’s not affected |
|||
8.1 |
N/A |
Apache Tomcat Vulnerability in session recycling for SSL requests |
Payara Server implementation of the Request class doesn’t contain the problematic variable being recycled |
|||
8.8 |
N/A |
Apache Tomcat Manager Applications Session and CSRF token vulnerabilities |
Unrelated to Payara Server since this affects specific Tomcat applications |
|||
4.3 |
N/A |
Apache Tomcat Vulnerability on |
Payara Server doesn’t use the |
|||
8.8 |
N/A |
Session persistence in Apache Tomcat allows arbitrary code injection |
Payara Server doesn’t use the affected objects in the same way that Tomcat does so the flaw is not present |
|||
6.3 |
FIXED |
Vulnerability in |
4.1.1.164.1 |
|||
7.5 |
FIXED |
Apache Commons FileUpload allows DDoS attacks via |
4.1.1.163 |
|||
9.0 |
FIXED |
Unspecified vulnerability in various versions of the Oracle JDK and JRockit |
4.1.1.164.1 |
|||
9.8 |
FIXED |
Unspecified vulnerability on Oracle GlassFish 3.0+ affects confidentiality |
4.1.1.163 |
|||
5.8 |
N/A |
Unspecified vulnerability on Oracle GlassFish 3.0.1 affects confidentiality |
Affects an older version of GlassFish but not Payara Server |
|||
8.1 |
FIXED |
Apache Tomcat does not protect applications from untrusted data when using the CGI Servlet |
4.1.1.163.1 |
|||
5.8 |
N/A |
Unspecified vulnerability on Oracle GlassFish 3.0.1 affects confidentiality |
Affects an older version of GlassFish but not Payara Server |
|||
8.8 |
PENDING |
Unspecified vulnerability on JSF implementation for Oracle Glassfish 3.0+ |
Pending for assesment |
|||
7.1 |
N/A |
Apache Tomcat HTTP request parsing vulnerability allow injection of data into reponse |
Payara Server doesn’t have included the Coyote components affected |
|||
7.5 |
FIXED |
Oracle, GlassFish Server Open Source Edition 4.1 is vulnerable to both authenticated and unauthenticated Directory Traversal vulnerability, that can be exploited by issuing a specially crafted HTTP GET request. |
4.1.1.161 |
Fixed by patching Woodstock |
Additionally, here are is a list of non-CVE vulnerabilities reported and analyzed as well:
Reference | Status | Summary | Release | Pull Requests | Observations |
---|---|---|---|---|---|
Payara Enterprise Support Ticket |
FIXED |
Vulnerability in Metro’s WSDL Code Importing/Parsing - Remote Code Execution |
5.2021.3 |
[#5198] |
Recommended to immediately upgrade to this release if using any JAX-WS features in applications deployed in public-facing environments. |
FIXED |
Web administration console is vulnerable against clickjacking/UI redress attacks. |
4.1.2.174 |
|||
Payara Support Ticket |
FIXED |
Under some circumstances authenticated caller/user identities get confused. |
4.1.1.171.11 |
||
Payara Support Ticket |
FIXED |
CORBA security context gets corrupted under certain conditions |
4.1.2.181.2, 4.1.2.182, 5.182 |