I am currently running the open source version of Glassfish 3.1.2.2. A recent Nessus security scan of the web server revealed the high risk vulnerability report below.
The recommendation is to update Glassfish to 3.1.2.9. However, I cannot find any link to download a 3.x version later than 3.1.2.2 from either the Glassfish open source project or Oracle.
Does anyone know where I can download Glassfish 3.1.2.9?
I cannot move to Glassfish 4.x as my JSF/ICEfaces 3.x application won't currently run with the JSF 2.2 libraries in Glassfish 4.
Thanks in advance!
-----------------
76591 - Oracle GlassFish Server Multiple Vulnerabilities (July 2014 CPU) [-/+]
Solution
Upgrade to GlassFish Server 2.1.1.24 / 3.0.1.9 / 3.1.2.9 or later.Risk Factor
HighCVSS Base Score
Synopsis
The remote web server is affected by multiple vulnerabilities.Description
The version of GlassFish Server running on the remote host is affected by multiple vulnerabilities in the following components :
- The implementation of Network Security Services (NSS) does not ensure that data structures are initialized, which could result in a denial of service or disclosure of sensitive information. (CVE-2013-1739)
- The implementation of Network Security Services (NSS) does not properly handle the TLS False Start feature and could allow man-in-the-middle attacks.
(CVE-2013-1740)
- NSS contains an integer overflow flaw that allows remote attackers to cause a denial of service.
(CVE-2013-1741)
- An error exists in the 'Null_Cipher' function in the file 'ssl/ssl3con.c' related to handling invalid handshake packets that could allow arbitrary code execution. (CVE-2013-5605)
- An error exists in the 'CERT_VerifyCert' function in the file 'lib/certhigh/certvfy.c' that could allow invalid certificates to be treated as valid.
(CVE-2013-5606)
- Oracle Mojarra contains a cross-site scripting vulnerability due to improperly sanitized user-supplied input. This allows an attacker to execute arbitrary script code within the context of the affected site. (CVE-2013-5855)
- Errors exist related to the included Network Security Services (NSS) libraries, 'NewSessionTicket'
handshakes, and public Diffie-Hellman values that allow application crashes and possibly arbitrary code execution. (CVE-2014-1490, CVE-2014-1491)
- An issue exists in the Network Security (NSS) library due to improper handling of IDNA domain prefixes for wildcard certificates. This issue allows man-in- the-middle attacks. (CVE-2014-1492)See Also
http://www.nessus.org/u?7de2f8eb