Security Fixes Summary

The following is a list of tracked Common Vulnerabilities and Exposures that have been reported and analyzed, which can or have impacted Payara Server across releases:

ID CVSS v3.0 Base Score Status Summary Release Pull Requests Observations

CVE-2021-28170

5.3

FIXED

A bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid

5.29.0

el-ri #160

Fixed by backporting a fix from the latest Jakarta Expression Language snapshot version

CVE-2020-10693

5.3

FIXED

A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls.

5.23.1

Fixed by upgrading Hibernate Validator to 6.1.5

CVE-2019-17195

9.8

FIXED

Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass.

5.21.2

Fixed by upgrading Nimbus JOSE+JWT to 8.20

CVE-2020-6950

7.5

FIXED

Eclipse Mojarra vulnerable to path trasversal flaw via either loc/con parameters

5.201

#4492

Fixed by upgrading Mojarra to 2.3.14

CVE-2019-12086

7.5

FIXED

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9

5.193, 5.192.1, 5.191.4

#4004

CVE-2018-14721

10.0

FIXED

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks

5.191, 5.184.1, 5.181.10, 4.1.2.191, 4.1.2.184.1, 4.1.2.181.10

#3461, #3513

Fixed in FasterXML Jackson 2.9.7, component updated

CVE-2018-14720

9.8

FIXED

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct external XML entity (XXE) attacks

5.191, 5.184.1, 5.181.10, 4.1.2.191, 4.1.2.184.1, 4.1.2.181.10

#3461, #3513

Fixed in FasterXML Jackson 2.9.7, component updated

CVE-2018-14719

9.8

FIXED

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code

5.191, 5.184.1, 5.181.10, 4.1.2.191, 4.1.2.184.1, 4.1.2.181.10

#3461, #3513

Fixed in FasterXML Jackson 2.9.7, component updated

CVE-2018-14718

9.8

FIXED

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code

5.191, 5.184.1, 5.181.10, 4.1.2.191, 4.1.2.184.1, 4.1.2.181.10

#3461, #3513

Fixed in FasterXML Jackson 2.9.7, component updated

CVE-2018-14371

7.5

FIXED

Eclipse Mojarra before 2.3.7 is affected by Directory Traversal via the loc parameter.

5.191, 5.184.1, 5.181.10

#3687

Fixed in Eclipse Mojarra 2.3.9, component updated

CVE-2018-7489

9.8

FIXED

Default typing issue in Jackson Databind

4.1.2.181.3, 4.1.2.182, 5.181.3, 5.182

#2628

Fixed in Jackson Databind 2.9.5, component updated

CVE-2017-12616

7.5

N/A

Apache Tomcat security constraint bypass and VirtualDirContext vulnerability

Unrelated to Payara Server

CVE-2017-12615

8.1

FIXED

Apache Tomcat vulnerability on Windows allowed for remote code execution via crafted PUT requests to JSPs

4.1.2.174

#2023

Fixed in Apache Tomcat, ported to Payara Server

CVE-2016-1000031

9.8

FIXED

Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution

4.1.2.173

#1776

CVE-2017-3239

3.3

FIXED

Oracle GlassFish Server Local Security Vulnerability

4.1.2.173

#1717

Fixed in GlassFish 5 code, ported to Payara Server

CVE-2017-3247

4.3

FIXED

Oracle GlassFish Server Remote Security Vulnerability

4.1.2.173

#1717

Fixed in GlassFish 5 code, ported to Payara Server

CVE-2017-3249

7.3

FIXED

Oracle GlassFish Server Remote Security Vulnerability

4.1.2.173

#1712

Fixed in GlassFish 5 code, ported to Payara Server

CVE-2017-3250

7.3

FIXED

Oracle GlassFish Server Remote Security Vulnerability

4.1.2.173

#1712

Fixed in GlassFish 5 code, ported to Payara Server

CVE-2016-5528

9.0

FIXED

Oracle GlassFish Server Remote Security Vulnerability

4.1.2.173

#1712

Fixed in GlassFish 5 code, ported to Payara Server

CVE-2016-5519

8.8

N/A

Oracle GlassFish Server vulnerability in Oracle Fusion Middleware

Affects an older version of GlassFish but not Payara Server

CVE-2007-6726

N/A (V2: 4.3)

FIXED

XSS Vulnerabilities in Dojo libraries used for admin console

4.1.1.163

#35, #978, #979

CVE-2012-2098

N/A (V2: 5.0)

FIXED

Apache Commons Compress bzip2 vulnerability allows DDoS attacks

4.1.1.163

#799, #931, #1005, #1006

CVE-2013-2035

N/A (V2: 4.4)

FIXED

Race condition in outdated jLine code allows arbitrary code execution

4.1.1.171

#931, #1005, #1006, #839, #841, #840

CVE-2014-0050

N/A (V2: 7.5)

FIXED

Apache Commons FileUpload allows DDoS attacks via crafted Content-Type headers

4.1.1.154.1

#560

CVE-2015-0254

N/A (V2: 7.5)

N/A

Vulnerabilities on Apache JSTL allows arbitrary code injection

Payara Server uses the FEATURE_SECURE_PROCESSING feature of JAXP so is not affected

CVE-2015-3237

N/A (V2: 6.4)

N/A

Vulnerabilities in smb_request_state function in cURL

Payara Server doesn’t ship with either cURL or licurl so it’s not affected

CVE-2015-5346

8.1

N/A

Apache Tomcat Vulnerability in session recycling for SSL requests

Payara Server implementation of the Request class doesn’t contain the problematic variable being recycled

CVE-2015-5351

8.8

N/A

Apache Tomcat Manager Applications Session and CSRF token vulnerabilities

Unrelated to Payara Server since this affects specific Tomcat applications

CVE-2016-0706

4.3

N/A

Apache Tomcat Vulnerability on StatusManagerServlet component allows reads of HTTP requests and discover session IDs

Payara Server doesn’t use the StatusManagerServlet component so it’s not affected

CVE-2016-0714

8.8

N/A

Session persistence in Apache Tomcat allows arbitrary code injection

Payara Server doesn’t use the affected objects in the same way that Tomcat does so the flaw is not present

CVE-2016-0763

6.3

FIXED

Vulnerability in ResourceLinkFactory.setGlobalContext method on Apache Tomcat

4.1.1.164.1

#1210

CVE-2016-3092

7.5

FIXED

Apache Commons FileUpload allows DDoS attacks via Multipart class

4.1.1.163

#953

CVE-2016-3427

9.0

FIXED

Unspecified vulnerability in various versions of the Oracle JDK and JRockit

4.1.1.164.1

#1209

CVE-2016-3607

9.8

FIXED

Unspecified vulnerability on Oracle GlassFish 3.0+ affects confidentiality

4.1.1.163

#1029, #1031, #1011

CVE-2016-3608

5.8

N/A

Unspecified vulnerability on Oracle GlassFish 3.0.1 affects confidentiality

Affects an older version of GlassFish but not Payara Server

CVE-2016-5388

8.1

FIXED

Apache Tomcat does not protect applications from untrusted data when using the CGI Servlet

4.1.1.163.1

#1051

CVE-2016-5477

5.8

N/A

Unspecified vulnerability on Oracle GlassFish 3.0.1 affects confidentiality

Affects an older version of GlassFish but not Payara Server

CVE-2016-5519

8.8

PENDING

Unspecified vulnerability on JSF implementation for Oracle Glassfish 3.0+

Pending for assesment

CVE-2016-6816

7.1

N/A

Apache Tomcat HTTP request parsing vulnerability allow injection of data into reponse

Payara Server doesn’t have included the Coyote components affected

CVE-2017-1000028

7.5

FIXED

Oracle, GlassFish Server Open Source Edition 4.1 is vulnerable to both authenticated and unauthenticated Directory Traversal vulnerability, that can be exploited by issuing a specially crafted HTTP GET request.

4.1.1.161

#632

Fixed by patching Woodstock

Additionally, here are is a list of non-CVE vulnerabilities reported and analyzed as well:

Reference Status Summary Release Pull Requests Observations

Payara Enterprise Support Ticket

FIXED

Vulnerability in Metro’s WSDL Code Importing/Parsing - Remote Code Execution

5.28.0

#362, #369

Recommended to immediately upgrade to this release if using any JAX-WS features in applications deployed in public-facing environments.

OWASP Docs

FIXED

Web administration console is vulnerable against clickjacking/UI redress attacks.

4.1.2.174

#2097

Payara Support Ticket

FIXED

Under some circumstances authenticated caller/user identities get confused.

4.1.1.171.11

#2493

Payara Support Ticket

FIXED

CORBA security context gets corrupted under certain conditions

4.1.2.181.2, 4.1.2.182, 5.182

#2493