[
https://issues.apache.org/jira/browse/DERBY-6631?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14110595#comment-14110595
]
Knut Anders Hatlen commented on DERBY-6631:
-------------------------------------------
For the remaining methods (getDaemonThread() and getJVMProperty()), let's wait
and see how DERBY-6648 ends up being solved. We might get some help from the
mechanisms introduced there.
> FileMonitor can be used to elevate an application's privileges
> --------------------------------------------------------------
>
> Key: DERBY-6631
> URL: https://issues.apache.org/jira/browse/DERBY-6631
> Project: Derby
> Issue Type: Bug
> Components: Services
> Affects Versions: 10.11.1.1
> Reporter: Rick Hillegas
> Attachments: d6631-1a-setThreadPriority.diff,
> d6631-1b-setThreadPriority.diff
>
>
> Various vulnerabilities in FileMonitor allow applications to perform
> security-sensitive operations with the elevated privileges granted to Derby:
> getDaemonThread() - The application can call this method in order to create
> threads, using Derby's elevated privileges.
> getJVMProperty() - The application can call this in order to read system
> properties using Derby's elevated privileges.
> setThreadPriority() - The application can call this method to change the
> priority of a daemon thread it has created. This call will execute with
> Derby's elevated privileges.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
