You are viewing a plain text version of this content. The canonical link for it is here.

Posted to derby-dev@db.apache.org by "Rick Hillegas (JIRA)" <ji...@apache.org> on 2014/09/29 15:02:34 UTC

[jira] [Closed] (DERBY-6631) FileMonitor can be used to elevate an application's privileges

     [ https://issues.apache.org/jira/browse/DERBY-6631?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Rick Hillegas closed DERBY-6631.
--------------------------------

> FileMonitor can be used to elevate an application's privileges
> --------------------------------------------------------------
>
>                 Key: DERBY-6631
>                 URL: https://issues.apache.org/jira/browse/DERBY-6631
>             Project: Derby
>          Issue Type: Bug
>          Components: Services
>    Affects Versions: 10.11.1.1
>            Reporter: Rick Hillegas
>             Fix For: 10.12.0.0
>
>         Attachments: d6631-1a-setThreadPriority.diff, d6631-1b-setThreadPriority.diff
>
>
> Various vulnerabilities in FileMonitor allow applications to perform security-sensitive operations with the elevated privileges granted to Derby:
> getDaemonThread() - The application can call this method in order to create threads, using Derby's elevated privileges.
> getJVMProperty() -  The application can call this in order to read system properties using Derby's elevated privileges.
> setThreadPriority() - The application can call this method to change the priority of a daemon thread it has created. This call will execute with Derby's elevated privileges.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)