db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rick Hillegas (JIRA)" <j...@apache.org>
Subject [jira] [Created] (DERBY-6631) FileMonitor can be used to elevate an application's privileges
Date Fri, 20 Jun 2014 16:38:25 GMT
Rick Hillegas created DERBY-6631:
------------------------------------

             Summary: FileMonitor can be used to elevate an application's privileges
                 Key: DERBY-6631
                 URL: https://issues.apache.org/jira/browse/DERBY-6631
             Project: Derby
          Issue Type: Bug
          Components: Services
    Affects Versions: 10.11.0.0
            Reporter: Rick Hillegas


Various vulnerabilities in FileMonitor allow applications to perform security-sensitive operations
with the elevated privileges granted to Derby:

getDaemonThread() - The application can call this method in order to create threads, using
Derby's elevated privileges.

getJVMProperty() -  The application can call this in order to read system properties using
Derby's elevated privileges.

setThreadPriority() - The application can call this method to change the priority of a daemon
thread it has created. This call will execute with Derby's elevated privileges.




--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message