[
https://issues.apache.org/jira/browse/KARAF-4215?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Baptiste Onofré updated KARAF-4215:
----------------------------------------
Fix Version/s: 4.0.6
4.1.0
> Use of Dynamic Class Loading, Use of Externally-Controlled Input to Select
> Classes or Code ('Unsafe Reflection')
> ----------------------------------------------------------------------------------------------------------------
>
> Key: KARAF-4215
> URL: https://issues.apache.org/jira/browse/KARAF-4215
> Project: Karaf
> Issue Type: Bug
> Affects Versions: 4.0.3
> Reporter: Eduardo Aguinaga
> Fix For: 4.1.0, 4.0.6
>
>
> HP Fortify SCA and SciTools Understand were used to perform an application
> security analysis on the karaf source code.
> Dynamically loaded code has the potential to be malicious. The application
> uses external input with reflection to select which classes or code to use,
> but it does not sufficiently prevent the input from selecting improper
> classes or code. The constructor for DefaultJDBCLock includes one parameter
> for a Properties object from which the parameters for the dynamic class are
> taken. None of the properties are checked for content.
> File: main\src\main\java\org\apache\karaf\main\lock\DefaultJDBCLock.java
> Line: 365
> DefaultJDBCLock.java, lines 364-369:
> {code}
> 364 Connection doCreateConnection(String driver, String url, String username,
> String password) throws ClassNotFoundException, SQLException {
> 365 Class.forName(driver);
> 366 // results in a closed connection in Derby if the update lock table
> request timed out
> 367 // DriverManager.setLoginTimeout(timeout);
> 368 return DriverManager.getConnection(url, username, password);
> 369 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
