Glassfish 3.1.2 and Oracle Oct 2016 CPU

Question

So we do have some Glassfish 3 installations floating around and no Premium Support for them. Oracle has released a Critical Patch Update notification and CVE-2016-5519 regarding the same vulnerabilities in Glassfish has been published at the same time.

As I can see that Critical Patch Updates are only available to Oracle support customers and I am struggling understanding the current Glassfish development status, a couple of questions arise:

1. Is there a timeline for the Glassfish open source project to release a new Glassfish 3 version incorporating the relevant fixes?
2. Has anybody¹ voiced an opinion on whether Glassfish 4.0/4.1 would be affected? Oracle has announced to not offer commercial support for Glasfish releases beyond 3, so not having 4.x versions listed in Oracle's announcement (or the CVE) does not mean that they are safe
3. is this the time to urge our suppliers to phase out Glassfish and replace it with something under active maintenance? If so, which are the concerns I might bring up here and what could I reasonably ask off suppliers?

---

¹ anybody with an authority to do so, obviously

Answer 1

Disclaimer: I work for Payara

---

1. Is there a timeline for the Glassfish open source project to release a new Glassfish 3 version incorporating the relevant fixes?

Oracle are not maintaining GlassFish 3.x in any way outside of support contracts, so the open source edition of GlassFish 3.x is not going to have any other new releases.

2. Has anybody voiced an opinion on whether Glassfish 4.0/4.1 would be affected? Oracle has announced to not offer commercial support for Glasfish releases beyond 3, so not having 4.x versions listed in Oracle's announcement (or the CVE) does not mean that they are safe

It is possible that GlassFish 4.x is affected. Oracle only makes these announcements for Oracle GlassFish Server, which is subtly different to the open source edition in that some bugs affect things which were commercial-only features.

In Payara's investigations, we have found that many of these do affect the source, but not all of them. Currently, we have found and fixed 19 security issues (3 merged and pending release). We are currently working on a nice way to summarise the security fixes and which versions contain which fixes but, until we put that together, I can say that we haven't (AFAIK) investigated this one yet. Just to be sure, I raised it on our internal issue tracker (PAYARA-1253).

3. Is this the time to urge our suppliers to phase out Glassfish and replace it with something under active maintenance? If so, which are the concerns I might bring up here and what could I reasonably ask off suppliers?

Of course, as a Payara employee, I'm going to recommend you move to Payara Server! Before you completely write that off as my own bias, though, I'd like to point out that it is completely open source and has a very large number of new fixes on top of the latest GlassFish (4.1.1). The differences between 3.x and 4.x (aside from Java EE 7 API differences) are small, so it would be pretty easy for you to download it and give it a go with your app. We release new versions every quarter to the public (monthly to customers) so, if a fix for the CVE you mentioned is really required, it should be available quite soon.

Just for balance, alternatives would be WildFly/JBoss, WebLogic, WebSphere Liberty or TomEE. I would say that, due to the shared codebase, a move to Payara is likely to cause the fewest headaches. WebLogic also shares a large number of API implementations with GlassFish, however WebLogic is only free to download and run in development environments and requires a license for production use.

I would certainly recommend you move away from GlassFish 3.1.2, though, it's old and getting older. You will need to move eventually and there are a number of security vulnerabilities which have now been discovered that are not fixed in the open source edition. Ultimately, the choice of where you move to is yours.