There are two options to get the fix:
1) Purchase an Oracle GlassFish Server license and support
2) Upgrade to GlassFish 4
When we fix bugs, they are applied to the the commercial sustaining branch and to the trunk. The bugs fixed in the trunk are picked up in the next release (GlassFish 4 in this case).
Hope this helps.
On Feb 27, 2014, at 6:41 AM, Wilkins, Brian <bwilkins_at_harris.com> wrote:
> What about Open Source/Community Edition members?
>
> -----Original Message-----
> From: John Clingan [mailto:john.clingan_at_oracle.com]
> Sent: Thursday, February 27, 2014 9:36 AM
> To: users_at_glassfish.java.net
> Subject: Re: CPU-APR-2013 Patch
>
> Glenn/Brian, these issues were fixed in the April '13 Critical Patch Update, which equates to Oracle GlassFish Server 3.1.2.5. Oracle GlassFish Server customers that have an active support contract can download and install this patch.
>
> Hope this helps.
>
> On Feb 26, 2014, at 4:44 AM, Wilkins, Brian <bwilkins_at_harris.com> wrote:
>
>> Good question. This was in response to Retina reporting a finding. Maybe it doesn't affect 3.1.2.2.
>>
>> -----Original Message-----
>> From: Glenn Holmer [mailto:gholmer_at_weycogroup.com]
>> Sent: Tuesday, February 25, 2014 4:40 PM
>> To: users_at_glassfish.java.net
>> Subject: Re: CPU-APR-2013 Patch
>>
>> On 02/25/2014 11:06 AM, Wilkins, Brian wrote:
>>> Where can I download the patch to fix the vulnerability in the REST
>>> and ADMIN interface as detailed in CVE 2013-1508 and CVE 2013-1515
>>> for GlassFish 3.1.2.2?
>>
>> Looking closely at the Oracle CPU:
>>
>> http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.h
>> tml
>>
>> (search on the CVE number), it lists the affected versions as "3.0.1, 3.1.2". Does this vulnerability exist in 3.1.2.2 as well?
>>
>> --
>> Glenn Holmer
>> Weyco Group, Inc.
>> phone: 414-908-1809
>> fax: 414-908-1601
>>
>