karaf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Baptiste Onofré (JIRA) <j...@apache.org>
Subject [jira] [Updated] (KARAF-4215) Use of Dynamic Class Loading, Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Date Mon, 19 Sep 2016 00:59:21 GMT

     [ https://issues.apache.org/jira/browse/KARAF-4215?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jean-Baptiste Onofré updated KARAF-4215:
----------------------------------------
    Fix Version/s:     (was: 4.0.7)
                   4.0.8

> Use of Dynamic Class Loading, Use of Externally-Controlled Input to Select Classes or
Code ('Unsafe Reflection')
> ----------------------------------------------------------------------------------------------------------------
>
>                 Key: KARAF-4215
>                 URL: https://issues.apache.org/jira/browse/KARAF-4215
>             Project: Karaf
>          Issue Type: Bug
>    Affects Versions: 4.0.3
>            Reporter: Eduardo Aguinaga
>             Fix For: 4.1.0, 4.0.8
>
>
> HP Fortify SCA and SciTools Understand were used to perform an application security analysis
on the karaf source code.
> Dynamically loaded code has the potential to be malicious. The application uses external
input with reflection to select which classes or code to use, but it does not sufficiently
prevent the input from selecting improper classes or code. The constructor for DefaultJDBCLock
includes one parameter for a Properties object from which the parameters for the dynamic class
are taken. None of the properties are checked for content.
> File: main\src\main\java\org\apache\karaf\main\lock\DefaultJDBCLock.java
> Line: 365
> DefaultJDBCLock.java, lines 364-369:
> {code}
> 364 Connection doCreateConnection(String driver, String url, String username, String
password) throws ClassNotFoundException, SQLException {
> 365     Class.forName(driver);
> 366     // results in a closed connection in Derby if the update lock table request timed
out
> 367     // DriverManager.setLoginTimeout(timeout);
> 368     return DriverManager.getConnection(url, username, password);
> 369 }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message