Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Glassfish admin console directory traversal exposes file system resources #3

Open
tdilauro opened this issue Feb 3, 2017 · 0 comments

Comments

@tdilauro
Copy link
Owner

tdilauro commented Feb 3, 2017

Hello Dataverse Admins,

We want to make you aware of a vulnerability in Glassfish and provide some recommendations to help you deploy Dataverse securely.

First, the vulnerability:

An attacker can use a directory traversal exploit to read a file from the local filesystem. If the Glassfish server process is running as a user that can read this file, and the file contains the password for the Glassfish admin console, the attacker can then upload a shellcode exploit for Glassfish. This permits an unauthenticated remote user to run malicious code on the Glassfish server.

Some links with more information:

The recommendations to mitigate the risk related to this vulnerability (in order from highest impact/effort ratio to lowest):

  • You should block access to the Glassfish administration port (default 4848/tcp). If you must access the Glassfish administration port, do so through an SSH tunnel. If you cannot provide an SSH tunnel, restrict access to the Glassfish administration port so that it is only accessible from specific IP addresses known to be assigned to Glassfish administrators.
  • Do not run Glassfish as root. Instead, create a new local user account. Use this account only for running glassfish.
  • Do not store the Glassfish admin password in a local file. Or, if you must store it in a local file, do not store it in the default location (/root/.gfclient/pass)
  • Perform Glassfish security updates regularly.

Please let us know if you have any questions by contacting us at [email protected].

Thanks,

The Dataverse Team

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant