The host is running Oracle GlassFish Server and is prone to security bypass vulnerability.

Successful exploitation could allow local attackers to access sensitive data on the server without being authenticated, by making 'TRACE' requests against the Administration Console. Impact Level: System/Application

Upgrade to Oracle GlassFish 3.1 or later, For updated refer, http://glassfish.java.net/downloads/3.1-final.html

The flaw is due to an error in Administration Console, when handling HTTP requests using the 'TRACE' method. A remote unauthenticated attacker can get access to the content of restricted pages in the Administration Console. and also attacker can create a new Glassfish administrator.

Oracle GlassFish version 3.0.1 and prior.

• http://packetstormsecurity.org/files/108381/NGS00106.txt
• http://securityreason.com/securityalert/8254
• http://www.us-cert.gov/cas/techalerts/TA11-201A.html

---

Updated on 2015-03-25