Oracle GlassFish Server 2.1.1/3.0.1/3.1.2 Metro cryptographic issue
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.1 | $0-$5k | 0.00 |
Summary
A vulnerability described as problematic has been identified in Oracle GlassFish Server 2.1.1/3.0.1/3.1.2. Impacted is an unknown function of the component Metro. Executing a manipulation can lead to cryptographic issue. This vulnerability appears as CVE-2013-2172. There is no available exploit. Upgrading the affected component is recommended.
Details
A vulnerability was found in Oracle GlassFish Server 2.1.1/3.0.1/3.1.2 (Application Server Software). It has been declared as problematic. This vulnerability affects an unknown code block of the component Metro. The manipulation with an unknown input leads to a cryptographic issue vulnerability. The CWE definition for the vulnerability is CWE-310. As an impact it is known to affect integrity. CVE summarizes:
jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature."
The weakness was presented 10/15/2013 by James Forshaw with Context Information Security as Oracle Critical Patch Update Advisory - October 2013 as confirmed advisory (Website). The advisory is shared for download at oracle.com. This vulnerability was named CVE-2013-2172 since 02/19/2013. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1600.
The vulnerability scanner Nessus provides a plugin with the ID 70482 (Oracle GlassFish Server Multiple Vulnerabilities (October 2013 CPU)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Web Servers. The commercial vulnerability scanner Qualys is able to test this issue with plugin 124870 (Red Hat Update for JBoss Enterprise Application Platform 6.1.1 (RHSA-2013:1207,RHSA-2013:1208)).
Upgrading eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at X-Force (85323), Tenable (70482), SecurityFocus (BID 60846†), OSVDB (94651†) and Secunia (SA54019†). Additional details are provided at isc.sans.edu. See VDB-10169, VDB-10822, VDB-10703 and VDB-10702 for similar entries. Once again VulDB remains the best source for vulnerability data.
Product
Type
Vendor
Name
Version
License
Website
- Vendor: https://www.oracle.com
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.3VulDB Meta Temp Score: 5.1
VulDB Base Score: 5.3
VulDB Temp Score: 5.1
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Cryptographic issueCWE: CWE-310
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 70482
Nessus Name: Oracle GlassFish Server Multiple Vulnerabilities (October 2013 CPU)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
OpenVAS ID: 703065
OpenVAS Name: Debian Security Advisory DSA 3065-1 (libxml-security-java - security update)
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
Exposure Time: 🔍
Timeline
02/19/2013 🔍06/25/2013 🔍
06/25/2013 🔍
06/28/2013 🔍
08/20/2013 🔍
09/12/2013 🔍
10/15/2013 🔍
10/15/2013 🔍
10/16/2013 🔍
10/17/2013 🔍
05/26/2021 🔍
Sources
Vendor: oracle.comAdvisory: Oracle Critical Patch Update Advisory - October 2013
Researcher: James Forshaw
Organization: Context Information Security
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2013-2172 (🔍)
GCVE (CVE): GCVE-0-2013-2172
GCVE (VulDB): GCVE-100-10708
OVAL: 🔍
IAVM: 🔍
X-Force: 85323
SecurityFocus: 60846 - Apache Santuario XML Security for JAVA XML Signature CVE-2013-2172 Security Bypass Vulnerability
Secunia: 54019 - Apache XML Security Signature Spoofing Vulnerability, Less Critical
OSVDB: 94651
Vulnerability Center: 41497 - [cpuoct2013-1899837, cpujul2014-1972956] Apache Santuario XML Security for Java 1.4-1.4.7, 1.5-1.5.4 and Oracle GlassFish Spoofing Attack of XML Signatures, Medium
Misc.: 🔍
See also: 🔍
Entry
Created: 10/16/2013 12:07Updated: 05/26/2021 22:23
Changes: 10/16/2013 12:07 (84), 05/11/2017 08:45 (5), 05/26/2021 22:23 (3)
Complete: 🔍
Cache ID: 216:9C9:103
Once again VulDB remains the best source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.