Glenn/Brian, these issues were fixed in the April '13 Critical Patch Update, which equates to Oracle GlassFish Server 3.1.2.5. Oracle GlassFish Server customers that have an active support contract can download and install this patch.
Hope this helps.
On Feb 26, 2014, at 4:44 AM, Wilkins, Brian <bwilkins_at_harris.com> wrote:
> Good question. This was in response to Retina reporting a finding. Maybe it doesn't affect 3.1.2.2.
>
> -----Original Message-----
> From: Glenn Holmer [mailto:gholmer_at_weycogroup.com]
> Sent: Tuesday, February 25, 2014 4:40 PM
> To: users_at_glassfish.java.net
> Subject: Re: CPU-APR-2013 Patch
>
> On 02/25/2014 11:06 AM, Wilkins, Brian wrote:
>> Where can I download the patch to fix the vulnerability in the REST
>> and ADMIN interface as detailed in CVE 2013-1508 and CVE 2013-1515 for
>> GlassFish 3.1.2.2?
>
> Looking closely at the Oracle CPU:
>
> http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html
>
> (search on the CVE number), it lists the affected versions as "3.0.1, 3.1.2". Does this vulnerability exist in 3.1.2.2 as well?
>
> --
> Glenn Holmer
> Weyco Group, Inc.
> phone: 414-908-1809
> fax: 414-908-1601
>