[
https://issues.apache.org/jira/browse/DERBY-3532?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kristian Waagan updated DERBY-3532:
-----------------------------------
Urgency: Normal (was: Urgent)
Changed urgency to normal, as described in the previous comment.
> Invalid & possibly skipped authentication handling when shutting down the
> network server.
> ------------------------------------------------------------------------------------------
>
> Key: DERBY-3532
> URL: https://issues.apache.org/jira/browse/DERBY-3532
> Project: Derby
> Issue Type: Bug
> Components: Network Server
> Affects Versions: 10.4.1.3, 10.5.1.1
> Reporter: Daniel John Debrunner
> Priority: Critical
>
> In NetworkServerControlImpl.checkShutdownPrivileges() code fetches the
> internal authentication service to perform user authentication.
> However if no such authentication service is found (null is returned) then
> authentication is bypassed, this has the potential of being a security hole.
> The discussion in DERBY-2109 indicated that even with authentication NONE,
> there is still an internal authentication service, thus null is not a valid
> return when getting the internal authentication service. A secure fail safe
> system would be to not bypass authentication if null is returned.
> I tried removing the check for null in the method and that lead to
> NullPointerExceptions. This means that something wrong is going on and very
> possibly no authentication checks are actually being made when shutting down
> the network server.
> The null return might be due to checking the authentication after Derby has
> been shutdown.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
