CVE-2024-10029
📋 TL;DR
This vulnerability allows attackers to perform reflected cross-site scripting (XSS) attacks in the Eclipse GlassFish Administration Console. Attackers can inject malicious scripts that execute in victims' browsers when they visit specially crafted URLs. This affects administrators and users with access to the GlassFish Administration Console in vulnerable versions.
💻 Affected Systems
- Eclipse GlassFish
📦 What is this software?
Glassfish by Eclipse
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, perform actions as administrators, or redirect users to malicious sites, potentially leading to full server compromise.
Likely Case
Attackers steal session cookies or credentials from administrators, gaining unauthorized access to the GlassFish administration interface.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized before execution, preventing successful exploitation.
🎯 Exploit Status
Exploitation requires social engineering to trick authenticated users into clicking malicious links. No authentication bypass needed beyond existing user access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.0.16 or later
Vendor Advisory: https://gitlab.eclipse.org/security/cve-assignement/-/issues/40
Restart Required: Yes
Instructions:
1. Download GlassFish 7.0.16 or later from Eclipse repository. 2. Stop GlassFish server. 3. Backup configuration and deployed applications. 4. Install updated version. 5. Restore configuration and applications. 6. Start GlassFish server.
🔧 Temporary Workarounds
Input Validation Filter
allImplement a servlet filter to sanitize input parameters containing script tags and special characters
Implement custom servlet filter with parameter sanitization logic
Content Security Policy
allAdd Content-Security-Policy headers to restrict script execution sources
Add 'Content-Security-Policy: default-src 'self'' to HTTP headers
🧯 If You Can't Patch
- Restrict access to Administration Console using network firewalls or VPNs
- Implement web application firewall (WAF) rules to block XSS payloads
🔍 How to Verify
Check if Vulnerable:
Check GlassFish version via Administration Console or server logs. If version is 7.0.15, system is vulnerable.Check Version:
asadmin versionVerify Fix Applied:
After patching, verify version is 7.0.16 or later. Test XSS payloads in Administration Console parameters to confirm they are properly encoded.📡 Detection & Monitoring
Log Indicators:
- Unusual parameter values containing script tags in Administration Console access logs
- Multiple failed login attempts followed by successful login from different IP
Network Indicators:
- HTTP requests to Administration Console with suspicious parameters containing script elements
- Outbound connections to unknown domains after accessing Administration Console
SIEM Query:
source="glassfish.log" AND ("script" OR "javascript:" OR "onerror=" OR "onload=") AND uri="/admin"