Redazione RHC : 21 July 2025 08:45
Thursday, July 16 was a significant day for the cybersecurity researchers of the Italian Red Team Research (RTR) team of TIM, which saw the publication of five new vulnerabilities (CVE) discovered in the Eclipse GlassFish project, one of which was rated 9.8.
TIM’s Red Team Research is a research group active since 2019, specialized in bug hunting, and has published over 170 CVE. The team operates in full compliance with the principles of Coordinated Vulnerability Disclosure (CVD): an ethical practice that requires the confidential reporting of vulnerabilities to vendors, allowing them to develop and release corrective patches before official publication.
Once the patch is available, with the vendor’s consent, the vulnerabilities are published by the Red Team Research to the National Vulnerability Database (NVD) of the United States, or by the vendor itself if it is certified as a CNA (CVE Numbering Authority)
Eclipse GlassFish is an open-source project used for both the development and deployment of enterprise-level Java EE (now Jakarta EE) applications. Originally developed by Oracle, it was known as Oracle GlassFish until 2017, when Oracle donated the source code to the Eclipse Foundation. Since then, the GlassFish project has been taken over by the Eclipse Foundation and is currently supported with the collaboration of organizations such as Payara, Fujitsu, and OmniFish.
The migration represented a huge engineering and legal challenge, with over 5.5 million lines of code and over 61,000 files moving from Oracle to the Eclipse Foundation. The code, historically confidential and proprietary, was made public, making it accessible and revealing the testing performed. As stated in a press release at the time, the migration effort began with EclipseLink and Yasson, who were already at the Eclipse Foundation. The first projects migrated from Oracle GitHub were JSONP, JMS, WebSocket, and OpenMQ, which were completed in January 2018. The GlassFish repository and the CTS/TCK repositories were migrated in September 2018.
Below is the list of issued CVEs:
| CVE | CVSSv3 | Typology |
| CVE-2024-9342 | 9.8 | CWE-307: Improper Restriction of Excessive Authentication Attempts |
| CVE-2024-10029 | 6.1 | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| CVE-2024-10032 | 5.4 | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| CVE-2024-9343 | 6.1 | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| CVE-2024-10031 | 5.4 | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
In detail, the vulnerability identified and classified with the code <a href=”https://nvd.nist.gov/vuln/detail/CVE-2024-9342, was detected on version 7.0.16 (and earlier) of the Eclipse product GlassFish is rated 9.8 Critical on the CVSSv3 scale (1 to 10).
Specifically, it was possible to perform Login Brute Force attacks on two specific product URLs. This vulnerability occurs when the product does not implement sufficient measures to prevent multiple failed authentication attempts in a short period of time, making it more susceptible to brute force attacks. The severity of this type of attack is that it has no prerequisites; Therefore, it is particularly dangerous if the GlassFish instance is exposed to the Internet.
The impact detected by Red Team Research’s analysis is that an attacker can exploit this vulnerability to gain access with administrative privileges to the server’s Administration Console or Management REST Interface.
This is one of the few Italian security research centers, where activities aimed at identifying undocumented vulnerabilities have been carried out for some time (0day). The team’s activities led to a subsequent issuance of CVEs on the National Vulnerability Database (NVD) of the United States of America, having completed the Coordinated Vulnerability Disclosure (CVD) process with the product vendor.
Over the course of 5 years of activity, we have seen the laboratory issue numerous CVEs on best-in-class products and major international vendors, such as Oracle, IBM, Fortinet, F5, Ericsson, Red Hat, Nokia, Computer Associates, Siemens, F5, Fortinet, QNAP, Johnson & Control, Schneider Electric, as well as other vendors on different types of software/hardware architectures.
Over time, the lab has issued approximately 170 CVEs, of which 14 have a Critical severity (>= 9.0 CVSSv3 score).
Regarding a vulnerability discovered by the research group on the Metasys Reporting Engine (MRE) Web Services product, from the vendor Johnson & Control, the Cybersecurity and Infrastructure Security Agency (CISA) of the United States of America, has issued a specific security bulletin bringing it to the attention of the sectors: “CRITICAL INFRASTRUCTURE SECTORS, COUNTRIES/AREAS DEPLOYED, and COMPANY HEADQUARTERS LOCATION.
This is an all-Italian research group that consistently issues CVEs, actively contributing to the research into undocumented vulnerabilities at the international level. Red TIM Research is distinguishing itself in Italy for the high caliber of its activities, as well as contributing to raising the security levels of products used by international organizations.
Redazione