axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Martin Gainty (JIRA)" <>
Subject [jira] [Commented] (TRANSPORTS-55) Improper Resource Shutdown or Release in 246
Date Fri, 09 Jan 2015 16:27:34 GMT


Martin Gainty commented on TRANSPORTS-55:

25 years ago I worked in a Lab so if Elaine Benes consumed PoppySeed roll then took a test
to indicate Opiates and tested positive then this test would be registered as "False Positive"

In software terms a False positive is registered when a result that indicates a given condition
has been fulfilled, when it actually has not been fulfilled. so in your case if:
1)the JVM has a lock on the CL while another client is attempting to update the resource acquired
by that CL..which is always true
2)critical sections are safe for multiple threads loading different classes generally implemented
with synchronized will not allow other clients to update resources in the critical section
until you exit the critical section
3)you invoked java.lang.ClassLoader's static method registerAsParallelCapable(). This registration
indicates that all instances of your custom class loader are multithread safe.
4)Check that all class loader classes that this custom class loader extends also invoke the
registerAsParallelCapable() method in their class initializers. Ensure that they are multithread
safe for concurrent class loading.

if these steps have been followed there would not be a false would be a good
for both of us to implement a testcase which would demonstrate mitigation for this vulnerability.
Jeff Williams coded this for OWASP back in 2007:

starting the container with folder location of "resources which must be protected" with
java -Dorg.owasp.esapi.resources="C:\temp\resources" -jar ContainerBootstrap.jar

Does this answer your question?

> Improper Resource Shutdown or Release in 246
> -----------------------------------------------------------
>                 Key: TRANSPORTS-55
>                 URL:
>             Project: Axis2 Transports
>          Issue Type: Bug
>          Components: Base
>    Affects Versions: 1.0.0
>            Reporter: David Camilo Espitia Manrique
>              Labels: security
>             Fix For: 1.0.0
>   Original Estimate: 24h
>  Remaining Estimate: 24h
> We are currently using "Axis2-transport-base 1.0.0 " and the veracode analysis found
a bug in this class "" line 246:
> Type:  Improper Resource Shutdown or Release
> Description:
> The application fails to release (or incorrectly releases) a system resource before it
is made available for re-use. This
> condition often occurs with resources such as database connections or file handles. Most
unreleased resource issues
> result in general software reliability problems, but if an attacker can intentionally
trigger a resource leak, it may be
> possible to launch a denial of service attack by depleting the resource pool.
> Recommendations:
> When a resource is created or allocated, the developer is responsible for properly releasing
the resource as well as
> accounting for all potential paths of expiration or invalidation. Ensure that all code
paths properly release resources

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message