[
https://issues.apache.org/jira/browse/TRANSPORTS-55?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14271480#comment-14271480
]
Martin Gainty commented on TRANSPORTS-55:
-----------------------------------------
25 years ago I worked in a Lab so if Elaine Benes consumed PoppySeed roll then
took a test to indicate Opiates and tested positive then this test would be
registered as "False Positive"
In software terms a False positive is registered when a result that indicates a
given condition has been fulfilled, when it actually has not been fulfilled. so
in your case if:
1)the JVM has a lock on the CL while another client is attempting to update the
resource acquired by that CL..which is always true
2)critical sections are safe for multiple threads loading different classes
generally implemented with synchronized will not allow other clients to update
resources in the critical section until you exit the critical section
3)you invoked java.lang.ClassLoader's static method
registerAsParallelCapable(). This registration indicates that all instances of
your custom class loader are multithread safe.
4)Check that all class loader classes that this custom class loader extends
also invoke the registerAsParallelCapable() method in their class initializers.
Ensure that they are multithread safe for concurrent class loading.
if these steps have been followed there would not be a false positive..it would
be a good idea
for both of us to implement a testcase which would demonstrate mitigation for
this vulnerability. Jeff Williams coded this for OWASP back in 2007:
https://owasp-esapi-java.googlecode.com/svn-history/r1236/branches/1.4/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java
starting the container with folder location of "resources which must be
protected" with
java -Dorg.owasp.esapi.resources="C:\temp\resources" -jar ContainerBootstrap.jar
Does this answer your question?
Martin
> Improper Resource Shutdown or Release in BaseUtils.java 246
> -----------------------------------------------------------
>
> Key: TRANSPORTS-55
> URL: https://issues.apache.org/jira/browse/TRANSPORTS-55
> Project: Axis2 Transports
> Issue Type: Bug
> Components: Base
> Affects Versions: 1.0.0
> Reporter: David Camilo Espitia Manrique
> Labels: security
> Fix For: 1.0.0
>
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> We are currently using "Axis2-transport-base 1.0.0 " and the veracode
> analysis found a bug in this class "BaseUtils.java" line 246:
> Type: Improper Resource Shutdown or Release
> Description:
> The application fails to release (or incorrectly releases) a system resource
> before it is made available for re-use. This
> condition often occurs with resources such as database connections or file
> handles. Most unreleased resource issues
> result in general software reliability problems, but if an attacker can
> intentionally trigger a resource leak, it may be
> possible to launch a denial of service attack by depleting the resource pool.
> Recommendations:
> When a resource is created or allocated, the developer is responsible for
> properly releasing the resource as well as
> accounting for all potential paths of expiration or invalidation. Ensure that
> all code paths properly release resources
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
