Try Free

Arbitrary File Read Exploit Hotfix

Security
Andrew Pielage
Published: 04 Feb 2016
Updated: 21 Oct 2025

Exclamation_mark.jpgThis hot fix removes an arbitrary file read exploit that allows an attacker to read the content of any file on the server hosting the DAS. This exploit attacks the administration console with a specific string, bypassing secure administration and any required login details. Therefore, if the administration console is not publicly accessible, and Payara Server is running under a restricted user (as per best practice), then the risk is minimised.

 

Download Payara Server 161,  including the fix. 

 

################### WARNING ####################

For the hotfix to take effect, you will need to stop and start your DAS.

It is not necessary to restart your other instances, though specific setups may find it beneficial to do so.

################################################

This fix applies to all versions of Payara Server prior to version 4.1.1.161.

 

To apply the hotfix:

  • Shut down the DAS: asadmin stop-domain $DOMAIN_NAME
  • Create a backup of your Payara server install and configuration
  • Delete the following file: $PAYARA_HOME/glassfish/lib/install/applications/__admingui/WEB-INF/extra/webui-jsf-4.0.2.10.jar
  • Download the following artefact: https://s3-eu-west-1.amazonaws.com/payara-patches/com/sun/woodstock/webui-jsf/4.0.2.10.payara-p2/webui-jsf-4.0.2.10.payara-p2.jar
  • Copy the downloaded artefact (webui-jsf-4.0.2.10.payara-p2.jar) into the same directory as the deleted file: $PAYARA_HOME/glassfish/lib/install/applications/__admingui/WEB-INF/extra/
  • Rename the new jar file (webui-jsf-4.0.2.10.payara-p2.jar) to webui-jsf-4.0.2.10.jar (to match the deleted original).

Restart your DAS: asadmin start-domain $DOMAIN_NAME

 

 

Share:

Download Payara Platform Community

Comments (0)

Post a comment

Your email address will not be published. Required fields are marked *

Payara needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, please review our Legal & Privacy Policy.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Posts

Stacked copies of the Payara developer guide “Zero Trust Architecture with Jakarta EE and MicroProfile” on an orange background, showing the dark blue cover design with the Payara logo and a laptop illustration featuring a shield and padlock icon. 4 minutes
Jakarta EE
Luqman Saeed
09 Jan 2026

Implementing Zero Trust Security with Jakarta EE: A Practical Guide

Zero Trust security has moved from buzzword to necessity. The principle is simple: never trust, always verify. But implementing […]

Read More
The Imperative for Legacy Java Modernization in Banking Cover 2 minutes
Jakarta EE
Luqman Saeed
24 Oct 2025

The $57 Billion Problem: Why Banking’s Java Legacy Crisis Demands Immediate Action

How outdated Java systems are draining budgets and throttling innovation across financial services? Let’s dig in in this blog […]

Read More
Interview The software that could be putting your cyber-security at risk 2 minutes
Security
Payara Content Team
22 Oct 2025

Middleware Cyber Security: The Hidden Risk Every C-Suite Should Prioritize

When tackling cyber risk at the strategic level, it pays to learn from trusted leaders. Steve Millidge, CEO and […]

Read More