[jira] [Updated] (KARAF-4201) Often Misused: Authentication
[
https://issues.apache.org/jira/browse/KARAF-4201?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Guillaume Nodet updated KARAF-4201:
---
Fix Version/s: (was: 4.0.8)
(was: 4.1.0)
> Often Misused: Authentication
> -
>
> Key: KARAF-4201
> URL: https://issues.apache.org/jira/browse/KARAF-4201
> Project: Karaf
> Issue Type: Bug
>Affects Versions: 4.0.3
>Reporter: Eduardo Aguinaga
>Priority: Minor
>
> HP Fortify and SciTools Understand were used to perform an application
> security scan on the karaf source code.
> The information returned by the call to getByName() on line 150 is not
> trustworthy. Attackers can spoof DNS entries.
> File: main/src/main/java/org/apache/karaf/main/InstanceHelper.java
> Line: 150
> InstanceHelper.java, lines 142-166:
> {code}
> 142 static void setupShutdown(ConfigProperties config, Framework framework) {
> 143 writePid(config.pidFile);
> 144 try {
> 145 int port = config.shutdownPort;
> 146 String host = config.shutdownHost;
> 147 String portFile = config.portFile;
> 148 final String shutdown = config.shutdownCommand;
> 149 if (port >= 0) {
> 150 ServerSocket shutdownSocket = new ServerSocket(port, 1,
> InetAddress.getByName(host));
> 151 if (port == 0) {
> 152 port = shutdownSocket.getLocalPort();
> 153 }
> 154 if (portFile != null) {
> 155 Writer w = new OutputStreamWriter(new
> FileOutputStream(portFile));
> 156 w.write(Integer.toString(port));
> 157 w.close();
> 158 }
> 159 Thread thread = new ShutdownSocketThread(shutdown,
> shutdownSocket, framework);
> 160 thread.setDaemon(true);
> 161 thread.start();
> 162 }
> 163 } catch (Exception e) {
> 164 e.printStackTrace();
> 165 }
> 166 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (KARAF-4201) Often Misused: Authentication
[
https://issues.apache.org/jira/browse/KARAF-4201?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Guillaume Nodet updated KARAF-4201:
---
Priority: Minor (was: Major)
> Often Misused: Authentication
> -
>
> Key: KARAF-4201
> URL: https://issues.apache.org/jira/browse/KARAF-4201
> Project: Karaf
> Issue Type: Bug
>Affects Versions: 4.0.3
>Reporter: Eduardo Aguinaga
>Priority: Minor
> Fix For: 4.1.0, 4.0.8
>
>
> HP Fortify and SciTools Understand were used to perform an application
> security scan on the karaf source code.
> The information returned by the call to getByName() on line 150 is not
> trustworthy. Attackers can spoof DNS entries.
> File: main/src/main/java/org/apache/karaf/main/InstanceHelper.java
> Line: 150
> InstanceHelper.java, lines 142-166:
> {code}
> 142 static void setupShutdown(ConfigProperties config, Framework framework) {
> 143 writePid(config.pidFile);
> 144 try {
> 145 int port = config.shutdownPort;
> 146 String host = config.shutdownHost;
> 147 String portFile = config.portFile;
> 148 final String shutdown = config.shutdownCommand;
> 149 if (port >= 0) {
> 150 ServerSocket shutdownSocket = new ServerSocket(port, 1,
> InetAddress.getByName(host));
> 151 if (port == 0) {
> 152 port = shutdownSocket.getLocalPort();
> 153 }
> 154 if (portFile != null) {
> 155 Writer w = new OutputStreamWriter(new
> FileOutputStream(portFile));
> 156 w.write(Integer.toString(port));
> 157 w.close();
> 158 }
> 159 Thread thread = new ShutdownSocketThread(shutdown,
> shutdownSocket, framework);
> 160 thread.setDaemon(true);
> 161 thread.start();
> 162 }
> 163 } catch (Exception e) {
> 164 e.printStackTrace();
> 165 }
> 166 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (KARAF-4201) Often Misused: Authentication
[
https://issues.apache.org/jira/browse/KARAF-4201?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Baptiste Onofré updated KARAF-4201:
Fix Version/s: (was: 4.0.7)
4.0.8
> Often Misused: Authentication
> -
>
> Key: KARAF-4201
> URL: https://issues.apache.org/jira/browse/KARAF-4201
> Project: Karaf
> Issue Type: Bug
>Affects Versions: 4.0.3
>Reporter: Eduardo Aguinaga
> Fix For: 4.1.0, 4.0.8
>
>
> HP Fortify and SciTools Understand were used to perform an application
> security scan on the karaf source code.
> The information returned by the call to getByName() on line 150 is not
> trustworthy. Attackers can spoof DNS entries.
> File: main/src/main/java/org/apache/karaf/main/InstanceHelper.java
> Line: 150
> InstanceHelper.java, lines 142-166:
> {code}
> 142 static void setupShutdown(ConfigProperties config, Framework framework) {
> 143 writePid(config.pidFile);
> 144 try {
> 145 int port = config.shutdownPort;
> 146 String host = config.shutdownHost;
> 147 String portFile = config.portFile;
> 148 final String shutdown = config.shutdownCommand;
> 149 if (port >= 0) {
> 150 ServerSocket shutdownSocket = new ServerSocket(port, 1,
> InetAddress.getByName(host));
> 151 if (port == 0) {
> 152 port = shutdownSocket.getLocalPort();
> 153 }
> 154 if (portFile != null) {
> 155 Writer w = new OutputStreamWriter(new
> FileOutputStream(portFile));
> 156 w.write(Integer.toString(port));
> 157 w.close();
> 158 }
> 159 Thread thread = new ShutdownSocketThread(shutdown,
> shutdownSocket, framework);
> 160 thread.setDaemon(true);
> 161 thread.start();
> 162 }
> 163 } catch (Exception e) {
> 164 e.printStackTrace();
> 165 }
> 166 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (KARAF-4201) Often Misused: Authentication
[
https://issues.apache.org/jira/browse/KARAF-4201?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Baptiste Onofré updated KARAF-4201:
Fix Version/s: (was: 4.0.6)
4.0.7
> Often Misused: Authentication
> -
>
> Key: KARAF-4201
> URL: https://issues.apache.org/jira/browse/KARAF-4201
> Project: Karaf
> Issue Type: Bug
>Affects Versions: 4.0.3
>Reporter: Eduardo Aguinaga
> Fix For: 4.1.0, 4.0.7
>
>
> HP Fortify and SciTools Understand were used to perform an application
> security scan on the karaf source code.
> The information returned by the call to getByName() on line 150 is not
> trustworthy. Attackers can spoof DNS entries.
> File: main/src/main/java/org/apache/karaf/main/InstanceHelper.java
> Line: 150
> InstanceHelper.java, lines 142-166:
> {code}
> 142 static void setupShutdown(ConfigProperties config, Framework framework) {
> 143 writePid(config.pidFile);
> 144 try {
> 145 int port = config.shutdownPort;
> 146 String host = config.shutdownHost;
> 147 String portFile = config.portFile;
> 148 final String shutdown = config.shutdownCommand;
> 149 if (port >= 0) {
> 150 ServerSocket shutdownSocket = new ServerSocket(port, 1,
> InetAddress.getByName(host));
> 151 if (port == 0) {
> 152 port = shutdownSocket.getLocalPort();
> 153 }
> 154 if (portFile != null) {
> 155 Writer w = new OutputStreamWriter(new
> FileOutputStream(portFile));
> 156 w.write(Integer.toString(port));
> 157 w.close();
> 158 }
> 159 Thread thread = new ShutdownSocketThread(shutdown,
> shutdownSocket, framework);
> 160 thread.setDaemon(true);
> 161 thread.start();
> 162 }
> 163 } catch (Exception e) {
> 164 e.printStackTrace();
> 165 }
> 166 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (KARAF-4201) Often Misused: Authentication
[
https://issues.apache.org/jira/browse/KARAF-4201?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Baptiste Onofré updated KARAF-4201:
Fix Version/s: 4.0.6
4.1.0
> Often Misused: Authentication
> -
>
> Key: KARAF-4201
> URL: https://issues.apache.org/jira/browse/KARAF-4201
> Project: Karaf
> Issue Type: Bug
>Affects Versions: 4.0.3
>Reporter: Eduardo Aguinaga
> Fix For: 4.1.0, 4.0.6
>
>
> HP Fortify and SciTools Understand were used to perform an application
> security scan on the karaf source code.
> The information returned by the call to getByName() on line 150 is not
> trustworthy. Attackers can spoof DNS entries.
> File: main/src/main/java/org/apache/karaf/main/InstanceHelper.java
> Line: 150
> InstanceHelper.java, lines 142-166:
> {code}
> 142 static void setupShutdown(ConfigProperties config, Framework framework) {
> 143 writePid(config.pidFile);
> 144 try {
> 145 int port = config.shutdownPort;
> 146 String host = config.shutdownHost;
> 147 String portFile = config.portFile;
> 148 final String shutdown = config.shutdownCommand;
> 149 if (port >= 0) {
> 150 ServerSocket shutdownSocket = new ServerSocket(port, 1,
> InetAddress.getByName(host));
> 151 if (port == 0) {
> 152 port = shutdownSocket.getLocalPort();
> 153 }
> 154 if (portFile != null) {
> 155 Writer w = new OutputStreamWriter(new
> FileOutputStream(portFile));
> 156 w.write(Integer.toString(port));
> 157 w.close();
> 158 }
> 159 Thread thread = new ShutdownSocketThread(shutdown,
> shutdownSocket, framework);
> 160 thread.setDaemon(true);
> 161 thread.start();
> 162 }
> 163 } catch (Exception e) {
> 164 e.printStackTrace();
> 165 }
> 166 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (KARAF-4201) Often Misused: Authentication
[
https://issues.apache.org/jira/browse/KARAF-4201?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Baptiste Onofré updated KARAF-4201:
Description:
HP Fortify and SciTools Understand were used to perform an application security
scan on the karaf source code.
The information returned by the call to getByName() on line 150 is not
trustworthy. Attackers can spoof DNS entries.
File: main/src/main/java/org/apache/karaf/main/InstanceHelper.java
Line: 150
InstanceHelper.java, lines 142-166:
{code}
142 static void setupShutdown(ConfigProperties config, Framework framework) {
143 writePid(config.pidFile);
144 try {
145 int port = config.shutdownPort;
146 String host = config.shutdownHost;
147 String portFile = config.portFile;
148 final String shutdown = config.shutdownCommand;
149 if (port >= 0) {
150 ServerSocket shutdownSocket = new ServerSocket(port, 1,
InetAddress.getByName(host));
151 if (port == 0) {
152 port = shutdownSocket.getLocalPort();
153 }
154 if (portFile != null) {
155 Writer w = new OutputStreamWriter(new
FileOutputStream(portFile));
156 w.write(Integer.toString(port));
157 w.close();
158 }
159 Thread thread = new ShutdownSocketThread(shutdown,
shutdownSocket, framework);
160 thread.setDaemon(true);
161 thread.start();
162 }
163 } catch (Exception e) {
164 e.printStackTrace();
165 }
166 }
{code}
was:
HP Fortify and SciTools Understand were used to perform an application security
scan on the karaf source code.
The information returned by the call to getByName() on line 150 is not
trustworthy. Attackers can spoof DNS entries.
File: main/src/main/java/org/apache/karaf/main/InstanceHelper.java
Line: 150
InstanceHelper.java, lines 142-166:
142 static void setupShutdown(ConfigProperties config, Framework framework) {
143 writePid(config.pidFile);
144 try {
145 int port = config.shutdownPort;
146 String host = config.shutdownHost;
147 String portFile = config.portFile;
148 final String shutdown = config.shutdownCommand;
149 if (port >= 0) {
150 ServerSocket shutdownSocket = new ServerSocket(port, 1,
InetAddress.getByName(host));
151 if (port == 0) {
152 port = shutdownSocket.getLocalPort();
153 }
154 if (portFile != null) {
155 Writer w = new OutputStreamWriter(new
FileOutputStream(portFile));
156 w.write(Integer.toString(port));
157 w.close();
158 }
159 Thread thread = new ShutdownSocketThread(shutdown,
shutdownSocket, framework);
160 thread.setDaemon(true);
161 thread.start();
162 }
163 } catch (Exception e) {
164 e.printStackTrace();
165 }
166 }
> Often Misused: Authentication
> -
>
> Key: KARAF-4201
> URL: https://issues.apache.org/jira/browse/KARAF-4201
> Project: Karaf
> Issue Type: Bug
>Affects Versions: 4.0.3
>Reporter: Eduardo Aguinaga
>
> HP Fortify and SciTools Understand were used to perform an application
> security scan on the karaf source code.
> The information returned by the call to getByName() on line 150 is not
> trustworthy. Attackers can spoof DNS entries.
> File: main/src/main/java/org/apache/karaf/main/InstanceHelper.java
> Line: 150
> InstanceHelper.java, lines 142-166:
> {code}
> 142 static void setupShutdown(ConfigProperties config, Framework framework) {
> 143 writePid(config.pidFile);
> 144 try {
> 145 int port = config.shutdownPort;
> 146 String host = config.shutdownHost;
> 147 String portFile = config.portFile;
> 148 final String shutdown = config.shutdownCommand;
> 149 if (port >= 0) {
> 150 ServerSocket shutdownSocket = new ServerSocket(port, 1,
> InetAddress.getByName(host));
> 151 if (port == 0) {
> 152 port = shutdownSocket.getLocalPort();
> 153 }
> 154 if (portFile != null) {
> 155 Writer w = new OutputStreamWriter(new
> FileOutputStream(portFile));
> 156 w.write(Integer.toString(port));
> 157 w.close();
> 158 }
> 159 Thread thread = new ShutdownSocketThread(shutdown,
> shutdownSocket, framework);
> 160 thread.setDaemon(true);
> 161 thread.start();
> 162 }
> 163 } catch (Exception e) {
> 164 e.printStackTrace();
> 165 }
> 166 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
