[ https://issues.apache.org/jira/browse/KARAF-4215?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jean-Baptiste Onofré updated KARAF-4215: ---------------------------------------- Fix Version/s: (was: 4.0.7) 4.0.8 > Use of Dynamic Class Loading, Use of Externally-Controlled Input to Select > Classes or Code ('Unsafe Reflection') > ---------------------------------------------------------------------------------------------------------------- > > Key: KARAF-4215 > URL: https://issues.apache.org/jira/browse/KARAF-4215 > Project: Karaf > Issue Type: Bug > Affects Versions: 4.0.3 > Reporter: Eduardo Aguinaga > Fix For: 4.1.0, 4.0.8 > > > HP Fortify SCA and SciTools Understand were used to perform an application > security analysis on the karaf source code. > Dynamically loaded code has the potential to be malicious. The application > uses external input with reflection to select which classes or code to use, > but it does not sufficiently prevent the input from selecting improper > classes or code. The constructor for DefaultJDBCLock includes one parameter > for a Properties object from which the parameters for the dynamic class are > taken. None of the properties are checked for content. > File: main\src\main\java\org\apache\karaf\main\lock\DefaultJDBCLock.java > Line: 365 > DefaultJDBCLock.java, lines 364-369: > {code} > 364 Connection doCreateConnection(String driver, String url, String username, > String password) throws ClassNotFoundException, SQLException { > 365 Class.forName(driver); > 366 // results in a closed connection in Derby if the update lock table > request timed out > 367 // DriverManager.setLoginTimeout(timeout); > 368 return DriverManager.getConnection(url, username, password); > 369 } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)