CVE-2024-9342

Eclipse Foundation · GlassFish

Eclipse GlassFish is vulnerable to login brute force attacks due to a lack of account lockout or rate limiting on failed authentication attempts.

Executive summary

A critical vulnerability in Eclipse GlassFish allows attackers to perform brute force attacks against authentication endpoints due to the absence of failed-login limitations.

Vulnerability

The application lacks sufficient rate limiting or account lockout mechanisms for failed login attempts. This flaw allows an attacker to programmatically attempt an unlimited number of password guesses to gain unauthorized access to user accounts.

Business impact

A CVSS score of 9.8 reflects the high risk of account takeover. Successful exploitation can lead to unauthorized access to sensitive administrative interfaces, compromise of user data, and potential full system control, resulting in severe reputational and operational damage.

Remediation

Immediate Action: Update to the latest version of Eclipse GlassFish that includes enhanced authentication security controls and brute force protection.

Proactive Monitoring: Monitor authentication logs for high volumes of failed login attempts originating from single or distributed IP addresses, which indicates a brute force attack in progress.

Compensating Controls: Implement account lockout policies at the application level or utilize third-party authentication proxies that enforce rate limiting and multi-factor authentication (MFA).

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Brute force vulnerabilities are common vectors for initial access. Organizations using Eclipse GlassFish must ensure they are running a patched version and should consider implementing additional authentication hardening, such as MFA, to mitigate the risk of account compromise.