db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rick Hillegas (JIRA)" <j...@apache.org>
Subject [jira] Commented: (DERBY-3083) Network server demands a file called "derbynet.jar" in classpath
Date Tue, 20 Nov 2007 14:19:43 GMT

    [ https://issues.apache.org/jira/browse/DERBY-3083?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12543900

Rick Hillegas commented on DERBY-3083:

>The fix is described in the description to DERBY-2362, I don't see any windows of vulnerability,
could you explain what you are thinking? 

We seem to be talking about an attacker who has the ability to change system properties at
any point in Derby's processing. Here is the scenario which came to my mind:

1) Derby sets system properties just before installing a security manager.

2) Blackhat changes the properties.

3) Derby installs the security manager.

4) Blackhat prompts a call to the security manager, which faults in the policy file and substitutes
in the current values of the system properties.

5) Blackhat then changes the properties back to the values which Derby set.

6) Derby then runs the checks described in DERBY-2362 but sees nothing amiss.

> Network server demands a file called "derbynet.jar" in classpath
> ----------------------------------------------------------------
>                 Key: DERBY-3083
>                 URL: https://issues.apache.org/jira/browse/DERBY-3083
>             Project: Derby
>          Issue Type: Bug
>          Components: Tools
>    Affects Versions:
>            Reporter: Aaron Digulla
>         Attachments: derby-716-10-datatypesCollation-aa.diff
> The network server will not start if the derbynet jar is added under a different name
than "derbynet.jar" to the classpath. This makes it impossible to use it in maven projects
where the jar is renamed to "derbynet-".
> This did work with

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message