Security Advisories
The following is a list of reported Common Vulnerabilities and Exposures that have been analyzed and documented across releases:
ID | CVSS Score | Status | Summary | Release | Observations | ||
---|---|---|---|---|---|---|---|
8.7 |
FIXED |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Payara Platform Payara Server (Admin Console modules) allows Remote Code Inclusion. |
5.68.0, 4.1.2.191.51 |
Payload Injection Attack via Management REST interface |
|||
6.7 |
FIXED |
When the |
5.67.0, 4.1.2.191.50 |
Exposes passwords through server log. |
|||
7.0 |
FIXED |
REST Interface Link Redirection via Host parameter |
5.67.0, 4.1.2.191.50 |
Only affects the Server admin REST interface. |
|||
4.8 |
FIXED |
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value. |
4.1.2.191.49 |
Fixed by upgrading Apache Commons IO. |
|||
- |
FIXED |
In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component |
5.64.0 |
Fixed by upgrading Nimbus Jose JWT bundled in Payara Server, and the version used to compile the Payara security connectors. |
|||
7.5 |
FIXED |
In Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to much larger processing time than one would expect. To mitigate the risk, parsson put in place a size limit for the numbers as well as their scale. |
5.62.0, 4.1.2.191.48 |
Fixed by backporting Parsson fixes to the previously unnamed JSONP impl used by Payara 5 & 4 |
|||
5.5 |
FIXED |
A specially crafted ZIP archive can cause an out of memory error |
5.58.0, 4.1.2.191.47 |
Fixed by Apache Ant upgrade |
|||
5.5 |
FIXED |
A specially crafted TAR archive can cause an out of memory error |
5.58.0, 4.1.2.191.47 |
Fixed by Apache Ant upgrade |
|||
6.3 |
FIXED |
Sensitive information may be leaked by the default temporary directory |
5.58.0, 4.1.2.191.47 |
Fixed by Apache Ant upgrade |
|||
6.1 |
FIXED |
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature on root context |
5.57.0, 4.1.2.191.46 |
Fixed by porting fix from Apache Tomcat. |
|||
7.5 |
FIXED |
[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software. |
5.56.0 |
Fixed by upgrading shaded json-smart version on Ecosystem Security submodule. |
|||
8.1 |
FIXED |
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. |
5.55.0, 4.1.2.191.45 |
Fixed by porting solution from Tomcat. |
|||
7.5 |
FIXED |
Json-smart is a library used by Payara Server for processing JSON in our implementations of MicroProfile. It was discovered that Json-smart does not limit the nesting of arrays or objects, the parsing of which is done recursively, and could lead to stack exhaustion and crash the software. |
5.51.0 |
Fixed by updating Json-smart to 2.4.10. |
|||
9.8 |
FIXED |
Improper Restriction of XML External Entity Reference in GitHub repository hazelcast/hazelcast in 5.1-BETA-1. |
This can only be triggered if explicitly using hazelcast to parse XML data. |
||||
9.8 |
N/A |
JNDI Exploit using |
This issue only affects Payara Server environments that run on Java 1.8 updates equal or lower than
|
||||
9.8 |
FIXED |
SnakeYaml’s Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution |
5.51.0 |
SnakeYaml constructors are not used by any features or facilities, so this vulnerability doesn’t affect Payara Platform Enterprise. Fixed by updating SnakeYaml to 2.0. |
|||
9.8 |
FIXED |
In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. |
5.47.0 |
Fixed by removing OpenSSL from Payara Docker Images |
|||
9.8 |
FIXED |
The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. |
5.47.0 |
Fixed by removing OpenSSL from Payara Docker Images |
|||
9.8 |
FIXED |
Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass attacker-controllable data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected. |
5.46.0 |
Fixed by upgrading Apache BCEL to 6.6.1 |
|||
7.5 |
FIXED |
A vulnerability exploit opens up to attackers a way to explore the contents of the WEB-INF and META-INF folders if an application is deployed to the root context. |
5.45.0 |
Internal fix on Servlet engine |
|||
N/A |
FIXED |
A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4 which causes a denial of service (DOS) via a crafted web request. |
5.44.0 |
Fixed by upgrading nimbus-jose-jwt to 9.25 |
|||
N/A |
FIXED |
Vulnerability exploit using ROOT context root deployments |
5.42.0 |
Recommended to immediately upgrade to this release if any of your applications is deployed on the / context root on Payara Server or Payara Micro |
|||
7.5 |
FIXED |
jackson-databind allows a Java StackOverflow exception and denial of service via a large depth of nested objects. |
5.38.0 |
Fixed by upgrading jackson-databind to 2.12.6.1 |
|||
7.5 |
FIXED |
ZLib allows memory corruption when deflating (i.e. when compressing) if the input has many distant matches. |
5.38.0 |
Fixed by upgrading to Azul JDK version using ZLib 1.2.12 in Payara Docker Images. |
|||
9.8 |
FIXED |
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. |
5.38.0 |
The original vulnerability is in the Spring Framework 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. The fix in the Payara Platform mitigates the Spring vulnerability by blocking the Payara classloader from giving access to Payara Platform internals. |
|||
N/A |
N/A |
Unauthenticated RCE in H2 Database Console |
Doesn’t affect Payara Platform. The Payara Platform doesn’t launch the H2 Database Console and doesn’t make it available in any way. |
||||
7.5 |
FIXED |
The "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element, allowing abuse of an XPath Transform to extract any local .xml files in a RetrievalMethod element. |
5.34.0 |
Fixed by upgrading Apache Santuario to 2.2.3 |
|||
6.5 |
FIXED |
Remote code execution vulnerability in H2 DB because CREATE ALIAS can execute arbitrary Java code |
5.32.0 |
Fixed by upgrading H2 DB to 1.4.200 |
|||
4.0 |
FIXED |
Insecure handling of permissions in the backup function of the H2 DB |
5.32.0 |
Fixed by upgrading H2 DB to 1.4.200 |
|||
5.3 |
FIXED |
Improper Limitation of a pathname to a restricted directory (exposes an application to "Path Traversal") when context root is / |
5.31.0 |
Recommended to immediately upgrade to this release if any of your applications is deployed on the / context root on Payara Server or Payara Micro |
|||
7.5 |
FIXED |
A flaw in FasterXML Jackson Databind 2.10.2 allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity. |
5.30.0 |
Fixed by upgrading Jackson Databind to 2.12.4 |
|||
7.5 |
FIXED |
A vulnerability in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4 which causes a denial of service (DOS) via a crafted web request. |
5.30.0 |
Fixed by upgrading JSON Smart to 2.4.7 |
|||
5.3 |
FIXED |
A bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid |
5.29.0 |
Fixed by backporting a fix from the latest Jakarta Expression Language snapshot version |
|||
5.3 |
FIXED |
A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls. |
5.23.1 |
Fixed by upgrading Hibernate Validator to 6.1.5 |
|||
9.8 |
FIXED |
Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass. |
5.21.2 |
Fixed by upgrading Nimbus JOSE+JWT to 8.20 |
|||
7.5 |
FIXED |
Eclipse Mojarra vulnerable to path trasversal flaw via either loc/con parameters |
5.201 |
Fixed by upgrading Mojarra to 2.3.14 |
|||
7.5 |
FIXED |
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9 |
5.193, 5.192.1, 5.191.4 |
||||
10.0 |
FIXED |
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks |
5.191, 5.184.1, 5.181.10, 4.1.2.191, 4.1.2.184.1, 4.1.2.181.10 |
Fixed in FasterXML Jackson 2.9.7, component updated |
|||
9.8 |
FIXED |
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct external XML entity (XXE) attacks |
5.191, 5.184.1, 5.181.10, 4.1.2.191, 4.1.2.184.1, 4.1.2.181.10 |
Fixed in FasterXML Jackson 2.9.7, component updated |
|||
9.8 |
FIXED |
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code |
5.191, 5.184.1, 5.181.10, 4.1.2.191, 4.1.2.184.1, 4.1.2.181.10 |
Fixed in FasterXML Jackson 2.9.7, component updated |
|||
9.8 |
FIXED |
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code |
5.191, 5.184.1, 5.181.10, 4.1.2.191, 4.1.2.184.1, 4.1.2.181.10 |
Fixed in FasterXML Jackson 2.9.7, component updated |
|||
7.5 |
FIXED |
Eclipse Mojarra before 2.3.7 is affected by Directory Traversal via the loc parameter. |
5.191, 5.184.1, 5.181.10 |
Fixed in Eclipse Mojarra 2.3.9, component updated |
|||
9.8 |
FIXED |
Default typing issue in Jackson Databind |
4.1.2.181.3, 4.1.2.182, 5.181.3, 5.182 |
Fixed in Jackson Databind 2.9.5, component updated |
|||
7.5 |
N/A |
Apache Tomcat security constraint bypass and VirtualDirContext vulnerability |
Unrelated to Payara Server |
||||
8.1 |
FIXED |
Apache Tomcat vulnerability on Windows allowed for remote code execution via crafted PUT requests to JSPs |
4.1.2.174 |
Fixed in Apache Tomcat, ported to Payara Server |
|||
9.8 |
FIXED |
Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution |
4.1.2.173 |
||||
3.3 |
FIXED |
Oracle GlassFish Server Local Security Vulnerability |
4.1.2.173 |
Fixed in GlassFish 5 code, ported to Payara Server |
|||
4.3 |
FIXED |
Oracle GlassFish Server Remote Security Vulnerability |
4.1.2.173 |
Fixed in GlassFish 5 code, ported to Payara Server |
|||
7.3 |
FIXED |
Oracle GlassFish Server Remote Security Vulnerability |
4.1.2.173 |
Fixed in GlassFish 5 code, ported to Payara Server |
|||
7.3 |
FIXED |
Oracle GlassFish Server Remote Security Vulnerability |
4.1.2.173 |
Fixed in GlassFish 5 code, ported to Payara Server |
|||
9.0 |
FIXED |
Oracle GlassFish Server Remote Security Vulnerability |
4.1.2.173 |
Fixed in GlassFish 5 code, ported to Payara Server |
|||
8.8 |
N/A |
Oracle GlassFish Server vulnerability in Oracle Fusion Middleware |
Affects an older version of GlassFish but not Payara Server |
||||
N/A (V2: 4.3) |
FIXED |
XSS Vulnerabilities in Dojo libraries used for admin console |
4.1.1.163 |
||||
N/A (V2: 5.0) |
FIXED |
Apache Commons Compress bzip2 vulnerability allows DDoS attacks |
4.1.1.163 |
||||
N/A (V2: 4.4) |
FIXED |
Race condition in outdated jLine code allows arbitrary code execution |
4.1.1.171 |
||||
N/A (V2: 7.5) |
FIXED |
Apache Commons FileUpload allows DDoS attacks via crafted |
4.1.1.154.1 |
||||
N/A (V2: 7.5) |
N/A |
Vulnerabilities on Apache JSTL allows arbitrary code injection |
Payara Server uses the |
||||
N/A (V2: 6.4) |
N/A |
Vulnerabilities in |
Payara Server doesn’t ship with either |
||||
8.1 |
N/A |
Apache Tomcat Vulnerability in session recycling for SSL requests |
Payara Server implementation of the Request class doesn’t contain the problematic variable being recycled |
||||
8.8 |
N/A |
Apache Tomcat Manager Applications Session and CSRF token vulnerabilities |
Unrelated to Payara Server since this affects specific Tomcat applications |
||||
4.3 |
N/A |
Apache Tomcat Vulnerability on |
Payara Server doesn’t use the |
||||
8.8 |
N/A |
Session persistence in Apache Tomcat allows arbitrary code injection |
Payara Server doesn’t use the affected objects in the same way that Tomcat does so the flaw is not present |
||||
6.3 |
FIXED |
Vulnerability in |
4.1.1.164.1 |
||||
7.5 |
FIXED |
Apache Commons FileUpload allows DDoS attacks via |
4.1.1.163 |
||||
9.0 |
FIXED |
Unspecified vulnerability in various versions of the Oracle JDK and |
4.1.1.164.1 |
||||
9.8 |
FIXED |
Unspecified vulnerability on Oracle GlassFish 3.0+ affects confidentiality |
4.1.1.163 |
||||
5.8 |
N/A |
Unspecified vulnerability on Oracle GlassFish 3.0.1 affects confidentiality |
Affects an older version of GlassFish but not Payara Server |
||||
8.1 |
FIXED |
Apache Tomcat does not protect applications from untrusted data when using the CGI Servlet |
4.1.1.163.1 |
||||
5.8 |
N/A |
Unspecified vulnerability on Oracle GlassFish 3.0.1 affects confidentiality |
Affects an older version of GlassFish but not Payara Server |
||||
8.8 |
N/A |
Unspecified vulnerability on JSF implementation for Oracle Glassfish 3.0+ |
Affects an older version of GlassFish but not Payara Server |
||||
7.1 |
N/A |
Apache Tomcat HTTP request parsing vulnerability allow injection of data into response |
Payara Server doesn’t have included the Coyote components affected |
||||
7.5 |
FIXED |
Oracle, GlassFish Server Open Source Edition 4.1 is vulnerable to both authenticated and unauthenticated Directory Traversal vulnerability, that can be exploited by issuing a specially crafted HTTP GET request. |
4.1.1.161 |
Fixed by patching Woodstock |
Non-CVE Vulnerabilities
Here is a collection of historic non-CVE vulnerabilities that may warrant attention:
Reference | Status | Summary | Release | Observations |
---|---|---|---|---|
FISH-6775 |
FIXED |
Authorization Constraints Ignored When Using Path Traversal Penetration Using Default Virtual Module |
5.46.0 |
|
sonatype-2014-0173 |
FIXED |
commons-fileupload version 1.3.3 has a potential resource leak issue |
5.44.0 |
Fixed by upgrading commons-fileupload to 1.4 |
Payara Enterprise Support Ticket |
FIXED |
Vulnerability in Metro’s WSDL Code Importing/Parsing - Remote Code Execution |
5.28.0 |
Recommended to immediately upgrade to this release if using any JAX-WS features in applications deployed in public-facing environments. |
FIXED |
Web administration console is vulnerable against clickjacking/UI redress attacks. |
4.1.2.174 |
||
Payara Support Ticket |
FIXED |
Under some circumstances authenticated caller/user identities get confused. |
4.1.1.171.11 |
|
Payara Support Ticket |
FIXED |
CORBA security context gets corrupted under certain conditions |
4.1.2.181.2, 4.1.2.182, 5.182 |