camel-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Claus Ibsen (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CAMEL-7088) Veracode compliance. Improper Resource Shutdown or Release (CWE ID 404) in FileLockExclusiveReadLockStrategy
Date Fri, 20 Dec 2013 17:36:11 GMT

     [ https://issues.apache.org/jira/browse/CAMEL-7088?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Claus Ibsen updated CAMEL-7088:
-------------------------------

      Component/s: camel-core
         Priority: Minor  (was: Major)
    Fix Version/s: 2.13.0
                   2.12.3
         Assignee: Claus Ibsen

> Veracode compliance. Improper Resource Shutdown or Release (CWE ID 404) in FileLockExclusiveReadLockStrategy
> ------------------------------------------------------------------------------------------------------------
>
>                 Key: CAMEL-7088
>                 URL: https://issues.apache.org/jira/browse/CAMEL-7088
>             Project: Camel
>          Issue Type: Improvement
>          Components: camel-core
>    Affects Versions: 2.11.3, 2.12.3, 2.13.0
>            Reporter: Leonid Marushevskiy
>            Assignee: Claus Ibsen
>            Priority: Minor
>              Labels: Security, Veracode
>             Fix For: 2.12.3, 2.13.0
>
>
> Pull request https://github.com/apache/camel/pull/74
> During Veracode scan of our application we discover issue with security in Camel. Please
review our fix and apply it in future versions.
> Quote from Veracode report below:
> Improper Resource Shutdown or Release (CWE ID 404)(1 flaw)
> Description
> The application fails to release (or incorrectly releases) a system resource before it
is made available for re-use. This
> condition often occurs with resources such as database connections or file handles. Most
unreleased resource issues
> result in general software reliability problems, but if an attacker can intentionally
trigger a resource leak, it may be
> possible to launch a denial of service attack by depleting the resource pool.
> Effort to Fix: 2 - Implementation error. Fix is approx. 6-50 lines of code. 1 day to
fix.
> Recommendations
> When a resource is created or allocated, the developer is responsible for properly releasing
the resource as well as
> accounting for all potential paths of expiration or invalidation. Ensure that all code
paths properly release resources.
> Instances found via Static Scan
> .../FileLockExclusiveReadLockStrategy.java line 68



--
This message was sent by Atlassian JIRA
(v6.1.4#6159)

Mime
View raw message