Path Traversal in Oracle GlassFish server open source edition
Description
Oracle GlassFish Server Open Source Edition contains a path traversal vulnerability in its Administration Console, which listens on TCP port 4848 by default. This vulnerability allows unauthenticated remote attackers to bypass directory restrictions and access arbitrary files on the server by manipulating file paths in HTTP requests to the administrative interface.
Remediation
Oracle has not released a security patch for GlassFish Server 4.1 Open Source Edition. Organizations should implement the following mitigation strategies:
1. Restrict Access to Administration Console: Configure firewall rules to limit access to port 4848/TCP to trusted IP addresses only. Block external access to the administrative interface.
2. Deploy Protective Controls: Implement a Web Application Firewall (WAF) or Intrusion Prevention System (IPS) with rules to detect and block path traversal attempts (e.g., requests containing "../", "..%2F", or encoded variations).
3. Upgrade to Supported Version: Migrate to Oracle GlassFish Server 3.x or later commercial releases, which are not affected by this vulnerability and receive ongoing security updates.
4. Network Segmentation: Place the GlassFish server in a segregated network zone with strict access controls to limit potential damage from exploitation.