[
https://issues.apache.org/jira/browse/DERBY-6631?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14110511#comment-14110511
]
ASF subversion and git services commented on DERBY-6631:
--------------------------------------------------------
Commit 1620534 from [~knutanders] in branch 'code/trunk'
[ https://svn.apache.org/r1620534 ]
DERBY-6631: FileMonitor can be used to elevate an application's privileges
Don't elevate privileges in the setThreadPriority() method. Instead, let
the callers use doPrivileges() themselves.
> FileMonitor can be used to elevate an application's privileges
> --------------------------------------------------------------
>
> Key: DERBY-6631
> URL: https://issues.apache.org/jira/browse/DERBY-6631
> Project: Derby
> Issue Type: Bug
> Components: Services
> Affects Versions: 10.11.1.1
> Reporter: Rick Hillegas
> Attachments: d6631-1a-setThreadPriority.diff,
> d6631-1b-setThreadPriority.diff
>
>
> Various vulnerabilities in FileMonitor allow applications to perform
> security-sensitive operations with the elevated privileges granted to Derby:
> getDaemonThread() - The application can call this method in order to create
> threads, using Derby's elevated privileges.
> getJVMProperty() - The application can call this in order to read system
> properties using Derby's elevated privileges.
> setThreadPriority() - The application can call this method to change the
> priority of a daemon thread it has created. This call will execute with
> Derby's elevated privileges.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
