Oracle Sun GlassFish/Java System Application Server Remote Authentication Bypass Vulnerability
Description
Oracle Sun GlassFish and Java System Application Server contain a critical authentication bypass vulnerability in the Web Administration component (default TCP port 4848). When processing malformed GET requests to the administrative interface, the application fails to properly handle exceptions, allowing unauthenticated requests to bypass security controls and gain administrative access. This flaw affects versions 2.1, 2.1.1, 3.0.1, and 9.1 of the application server.
Remediation
Apply the Oracle Critical Patch Update (CPU) for April 2011 immediately to remediate this vulnerability. Follow these steps:
1. Download the appropriate patch from Oracle's support portal for your specific GlassFish/Java Application Server version (2.1, 2.1.1, 3.0.1, or 9.1)
2. Review Oracle's Critical Patch Update Advisory (April 2011) for installation instructions and prerequisites
3. Schedule a maintenance window and apply the patch following Oracle's documented procedures
4. Restart the application server after patch installation
5. Verify the patch was applied successfully by checking the server version
As immediate mitigation measures until patching is complete:
- Restrict network access to the administrative interface (port 4848) using firewall rules to allow only trusted IP addresses
- If possible, disable remote administrative access and require local console access only
- Monitor administrative interface access logs for suspicious activity or unauthorized access attempts