GlassFish admin console weak credentials
Description
The GlassFish Admin Console is secured with weak, default, or easily guessable credentials. Invicti successfully authenticated to the administrative interface using common username and password combinations. Weak credentials include default vendor passwords, dictionary words, short passwords, or predictable patterns that can be compromised through automated brute-force attacks or credential stuffing.
Remediation
Immediately change the administrative credentials to strong, unique passwords. Implement a password policy requiring minimum length of 12 characters with a mix of uppercase, lowercase, numbers, and special characters. Disable or remove all default accounts. Restrict access to the admin console by IP address using firewall rules or GlassFish's built-in network listener configuration. Consider implementing multi-factor authentication if supported by your GlassFish version. For GlassFish configuration, update the admin password using the asadmin change-admin-password command and restrict network access by modifying the domain.xml file to bind the admin listener to localhost only if remote access is not required. Regularly audit administrative accounts and review access logs for unauthorized access attempts.