CVE-2017-10393 : Security Advisory and Response

Oracle GlassFish Server Vulnerability

Understanding CVE-2017-10393

What is CVE-2017-10393?

CVE-2017-10393 is a vulnerability in the Web Container component of Oracle GlassFish Server, part of Oracle Fusion Middleware. The affected versions are 3.0.1 and 3.1.2. This vulnerability can be exploited by an unauthenticated attacker with network access through HTTP, requiring human interaction for a successful attack. If exploited, it allows unauthorized access to certain data, partial denial of service, and impacts confidentiality, integrity, and availability.

The Impact of CVE-2017-10393

This vulnerability has a CVSS 3.0 Base Score of 6.3, affecting confidentiality, integrity, and availability. The attacker can gain unauthorized access to update, insert, or delete data within Oracle GlassFish Server. Additionally, unauthorized read access to data and partial denial of service can occur.

Technical Details of CVE-2017-10393

Vulnerability Description

The vulnerability in Oracle GlassFish Server allows an unauthenticated attacker to compromise the server through the Web Container component, impacting versions 3.0.1 and 3.1.2.

Affected Systems and Versions

Product: GlassFish Server
Vendor: Oracle Corporation
Affected Versions: 3.0.1, 3.1.2

Exploitation Mechanism

Attacker with network access via HTTP
Requires human interaction for successful attacks
Unauthorized data access and partial denial of service

Mitigation and Prevention

Immediate Steps to Take

Apply security patches provided by Oracle
Monitor network traffic for any suspicious activity
Restrict network access to vulnerable systems

Long-Term Security Practices

Regularly update and patch software
Implement strong authentication mechanisms
Conduct security training for employees

Patching and Updates

Oracle has released patches to address this vulnerability
Keep systems up to date with the latest security fixes