[jira] [Updated] (KARAF-4215) Use of Dynamic Class Loading, Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
[
https://issues.apache.org/jira/browse/KARAF-4215?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Baptiste Onofré updated KARAF-4215:
Fix Version/s: (was: 4.0.8)
4.0.9
> Use of Dynamic Class Loading, Use of Externally-Controlled Input to Select
> Classes or Code ('Unsafe Reflection')
>
>
> Key: KARAF-4215
> URL: https://issues.apache.org/jira/browse/KARAF-4215
> Project: Karaf
> Issue Type: Bug
>Affects Versions: 4.0.3
>Reporter: Eduardo Aguinaga
> Fix For: 4.1.0, 4.0.9
>
>
> HP Fortify SCA and SciTools Understand were used to perform an application
> security analysis on the karaf source code.
> Dynamically loaded code has the potential to be malicious. The application
> uses external input with reflection to select which classes or code to use,
> but it does not sufficiently prevent the input from selecting improper
> classes or code. The constructor for DefaultJDBCLock includes one parameter
> for a Properties object from which the parameters for the dynamic class are
> taken. None of the properties are checked for content.
> File: main\src\main\java\org\apache\karaf\main\lock\DefaultJDBCLock.java
> Line: 365
> DefaultJDBCLock.java, lines 364-369:
> {code}
> 364 Connection doCreateConnection(String driver, String url, String username,
> String password) throws ClassNotFoundException, SQLException {
> 365 Class.forName(driver);
> 366 // results in a closed connection in Derby if the update lock table
> request timed out
> 367 // DriverManager.setLoginTimeout(timeout);
> 368 return DriverManager.getConnection(url, username, password);
> 369 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (KARAF-4215) Use of Dynamic Class Loading, Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
[
https://issues.apache.org/jira/browse/KARAF-4215?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Baptiste Onofré updated KARAF-4215:
Fix Version/s: (was: 4.0.7)
4.0.8
> Use of Dynamic Class Loading, Use of Externally-Controlled Input to Select
> Classes or Code ('Unsafe Reflection')
>
>
> Key: KARAF-4215
> URL: https://issues.apache.org/jira/browse/KARAF-4215
> Project: Karaf
> Issue Type: Bug
>Affects Versions: 4.0.3
>Reporter: Eduardo Aguinaga
> Fix For: 4.1.0, 4.0.8
>
>
> HP Fortify SCA and SciTools Understand were used to perform an application
> security analysis on the karaf source code.
> Dynamically loaded code has the potential to be malicious. The application
> uses external input with reflection to select which classes or code to use,
> but it does not sufficiently prevent the input from selecting improper
> classes or code. The constructor for DefaultJDBCLock includes one parameter
> for a Properties object from which the parameters for the dynamic class are
> taken. None of the properties are checked for content.
> File: main\src\main\java\org\apache\karaf\main\lock\DefaultJDBCLock.java
> Line: 365
> DefaultJDBCLock.java, lines 364-369:
> {code}
> 364 Connection doCreateConnection(String driver, String url, String username,
> String password) throws ClassNotFoundException, SQLException {
> 365 Class.forName(driver);
> 366 // results in a closed connection in Derby if the update lock table
> request timed out
> 367 // DriverManager.setLoginTimeout(timeout);
> 368 return DriverManager.getConnection(url, username, password);
> 369 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (KARAF-4215) Use of Dynamic Class Loading, Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
[
https://issues.apache.org/jira/browse/KARAF-4215?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Baptiste Onofré updated KARAF-4215:
Fix Version/s: (was: 4.0.6)
4.0.7
> Use of Dynamic Class Loading, Use of Externally-Controlled Input to Select
> Classes or Code ('Unsafe Reflection')
>
>
> Key: KARAF-4215
> URL: https://issues.apache.org/jira/browse/KARAF-4215
> Project: Karaf
> Issue Type: Bug
>Affects Versions: 4.0.3
>Reporter: Eduardo Aguinaga
> Fix For: 4.1.0, 4.0.7
>
>
> HP Fortify SCA and SciTools Understand were used to perform an application
> security analysis on the karaf source code.
> Dynamically loaded code has the potential to be malicious. The application
> uses external input with reflection to select which classes or code to use,
> but it does not sufficiently prevent the input from selecting improper
> classes or code. The constructor for DefaultJDBCLock includes one parameter
> for a Properties object from which the parameters for the dynamic class are
> taken. None of the properties are checked for content.
> File: main\src\main\java\org\apache\karaf\main\lock\DefaultJDBCLock.java
> Line: 365
> DefaultJDBCLock.java, lines 364-369:
> {code}
> 364 Connection doCreateConnection(String driver, String url, String username,
> String password) throws ClassNotFoundException, SQLException {
> 365 Class.forName(driver);
> 366 // results in a closed connection in Derby if the update lock table
> request timed out
> 367 // DriverManager.setLoginTimeout(timeout);
> 368 return DriverManager.getConnection(url, username, password);
> 369 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (KARAF-4215) Use of Dynamic Class Loading, Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
[
https://issues.apache.org/jira/browse/KARAF-4215?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Baptiste Onofré updated KARAF-4215:
Fix Version/s: 4.0.6
4.1.0
> Use of Dynamic Class Loading, Use of Externally-Controlled Input to Select
> Classes or Code ('Unsafe Reflection')
>
>
> Key: KARAF-4215
> URL: https://issues.apache.org/jira/browse/KARAF-4215
> Project: Karaf
> Issue Type: Bug
>Affects Versions: 4.0.3
>Reporter: Eduardo Aguinaga
> Fix For: 4.1.0, 4.0.6
>
>
> HP Fortify SCA and SciTools Understand were used to perform an application
> security analysis on the karaf source code.
> Dynamically loaded code has the potential to be malicious. The application
> uses external input with reflection to select which classes or code to use,
> but it does not sufficiently prevent the input from selecting improper
> classes or code. The constructor for DefaultJDBCLock includes one parameter
> for a Properties object from which the parameters for the dynamic class are
> taken. None of the properties are checked for content.
> File: main\src\main\java\org\apache\karaf\main\lock\DefaultJDBCLock.java
> Line: 365
> DefaultJDBCLock.java, lines 364-369:
> {code}
> 364 Connection doCreateConnection(String driver, String url, String username,
> String password) throws ClassNotFoundException, SQLException {
> 365 Class.forName(driver);
> 366 // results in a closed connection in Derby if the update lock table
> request timed out
> 367 // DriverManager.setLoginTimeout(timeout);
> 368 return DriverManager.getConnection(url, username, password);
> 369 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (KARAF-4215) Use of Dynamic Class Loading, Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
[
https://issues.apache.org/jira/browse/KARAF-4215?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Baptiste Onofré updated KARAF-4215:
Description:
HP Fortify SCA and SciTools Understand were used to perform an application
security analysis on the karaf source code.
Dynamically loaded code has the potential to be malicious. The application uses
external input with reflection to select which classes or code to use, but it
does not sufficiently prevent the input from selecting improper classes or
code. The constructor for DefaultJDBCLock includes one parameter for a
Properties object from which the parameters for the dynamic class are taken.
None of the properties are checked for content.
File: main\src\main\java\org\apache\karaf\main\lock\DefaultJDBCLock.java
Line: 365
DefaultJDBCLock.java, lines 364-369:
{code}
364 Connection doCreateConnection(String driver, String url, String username,
String password) throws ClassNotFoundException, SQLException {
365 Class.forName(driver);
366 // results in a closed connection in Derby if the update lock table
request timed out
367 // DriverManager.setLoginTimeout(timeout);
368 return DriverManager.getConnection(url, username, password);
369 }
{code}
was:
HP Fortify SCA and SciTools Understand were used to perform an application
security analysis on the karaf source code.
Dynamically loaded code has the potential to be malicious. The application uses
external input with reflection to select which classes or code to use, but it
does not sufficiently prevent the input from selecting improper classes or
code. The constructor for DefaultJDBCLock includes one parameter for a
Properties object from which the parameters for the dynamic class are taken.
None of the properties are checked for content.
File: main\src\main\java\org\apache\karaf\main\lock\DefaultJDBCLock.java
Line: 365
DefaultJDBCLock.java, lines 364-369:
364 Connection doCreateConnection(String driver, String url, String username,
String password) throws ClassNotFoundException, SQLException {
365 Class.forName(driver);
366 // results in a closed connection in Derby if the update lock table
request timed out
367 // DriverManager.setLoginTimeout(timeout);
368 return DriverManager.getConnection(url, username, password);
369 }
> Use of Dynamic Class Loading, Use of Externally-Controlled Input to Select
> Classes or Code ('Unsafe Reflection')
>
>
> Key: KARAF-4215
> URL: https://issues.apache.org/jira/browse/KARAF-4215
> Project: Karaf
> Issue Type: Bug
>Affects Versions: 4.0.3
>Reporter: Eduardo Aguinaga
>
> HP Fortify SCA and SciTools Understand were used to perform an application
> security analysis on the karaf source code.
> Dynamically loaded code has the potential to be malicious. The application
> uses external input with reflection to select which classes or code to use,
> but it does not sufficiently prevent the input from selecting improper
> classes or code. The constructor for DefaultJDBCLock includes one parameter
> for a Properties object from which the parameters for the dynamic class are
> taken. None of the properties are checked for content.
> File: main\src\main\java\org\apache\karaf\main\lock\DefaultJDBCLock.java
> Line: 365
> DefaultJDBCLock.java, lines 364-369:
> {code}
> 364 Connection doCreateConnection(String driver, String url, String username,
> String password) throws ClassNotFoundException, SQLException {
> 365 Class.forName(driver);
> 366 // results in a closed connection in Derby if the update lock table
> request timed out
> 367 // DriverManager.setLoginTimeout(timeout);
> 368 return DriverManager.getConnection(url, username, password);
> 369 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
