users@glassfish.java.net

RE: CPU-APR-2013 Patch

From: Wilkins, Brian <bwilkins_at_harris.com>
Date: Wed, 26 Feb 2014 12:44:53 +0000

Good question. This was in response to Retina reporting a finding. Maybe it doesn't affect 3.1.2.2.

-----Original Message-----
From: Glenn Holmer [mailto:gholmer_at_weycogroup.com]
Sent: Tuesday, February 25, 2014 4:40 PM
To: users_at_glassfish.java.net
Subject: Re: CPU-APR-2013 Patch

On 02/25/2014 11:06 AM, Wilkins, Brian wrote:
> Where can I download the patch to fix the vulnerability in the REST
> and ADMIN interface as detailed in CVE 2013-1508 and CVE 2013-1515 for
> GlassFish 3.1.2.2?

Looking closely at the Oracle CPU:

http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html

(search on the CVE number), it lists the affected versions as "3.0.1, 3.1.2". Does this vulnerability exist in 3.1.2.2 as well?

--
Glenn Holmer
Weyco Group, Inc.
phone: 414-908-1809
fax: 414-908-1601