Oracle GlassFish Administration Console XSS

May 4, 2012

GlassFish is an open-source application server project started by Sun Microsystems for the Java EE platform and now sponsored by Oracle Corporation. It is the reference implementation of Java EE and as such supports Enterprise JavaBeans, JPA, JavaServer Faces, JMS, RMI, JavaServer Pages, servlets, etc. The Administration Console provided in Oracle GlassFish is a browser-based utility that features a graphical interface for administrative tasks. By default, The Administration Console listens on TCP port 4848.

Multiple cross site scripting vulnerabilities have been reported in Oracle GlassFish Administration Console. Specifically, several JavaServer Faces resources in the Administration Console do not properly sanitize incoming request parameter values before rendering page output.

An attacker could exploit this vulnerability by embedding malicious script code in a URL and enticing the target user to open the URL in the browser. Successful exploitation would allow the attacker to steal the target user's private information, such as the username, password and session cookie. The attacker may use the credential to grant full access to administrator's account and the underlying GlassFish server.

The vulnerability has been assigned as CVE-2012-0551.

SonicWALL has released multiple IPS signatures to detect and block specific exploitation attempts targeting this vulnerability. The signatures are listed below:

  • 7762 Oracle GlassFish Administration Console XSS 1
  • 7763 Oracle GlassFish Administration Console XSS 2
  • 7764 Oracle GlassFish Administration Console XSS 3