Advisory: Oracle GlassFish Server Administration Console Authentication Bypass (CVE-2011-1511)

This is a quick post about a vulnerability I found in Oracle GlassFish Server (CVE-2011-1511), which was published two weeks ago (I know, I’m a bit late).

The Administration Console of Oracle GlassFish Server is prone to an authentication bypass vulnerability, which can be exploited by remote attackers by performing TRACE requests.

You can find the advisory with the analysis of the bug and its technical details here:  CORE-2010-1118: Oracle GlassFish Server Administration Console Authentication Bypass.

By the way, the timeline of the advisory deserves some attention!

And if you are asking, yes, this bug can be exploited to create an administrative account on the Glassfish Server and then execute arbitrary code on the vulnerable machine!

Advertisements

One thought on “Advisory: Oracle GlassFish Server Administration Console Authentication Bypass (CVE-2011-1511)

  1. Congratulations!, nice find! 🙂 Now, is time to dive into the mysterious of kernel land and rise your travesti skills!.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s