You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@karaf.apache.org by "Eduardo Aguinaga (JIRA)" <ji...@apache.org> on 2015/12/15 16:10:46 UTC
[jira] [Created] (KARAF-4201) Often Misused: Authentication
Eduardo Aguinaga created KARAF-4201:
---------------------------------------
Summary: Often Misused: Authentication
Key: KARAF-4201
URL: https://issues.apache.org/jira/browse/KARAF-4201
Project: Karaf
Issue Type: Bug
Affects Versions: 4.0.3
Reporter: Eduardo Aguinaga
HP Fortify and SciTools Understand were used to perform an application security scan on the karaf source code.
The information returned by the call to getByName() on line 150 is not trustworthy. Attackers can spoof DNS entries.
File: main/src/main/java/org/apache/karaf/main/InstanceHelper.java
Line: 150
InstanceHelper.java, lines 142-166:
142 static void setupShutdown(ConfigProperties config, Framework framework) {
143 writePid(config.pidFile);
144 try {
145 int port = config.shutdownPort;
146 String host = config.shutdownHost;
147 String portFile = config.portFile;
148 final String shutdown = config.shutdownCommand;
149 if (port >= 0) {
150 ServerSocket shutdownSocket = new ServerSocket(port, 1, InetAddress.getByName(host));
151 if (port == 0) {
152 port = shutdownSocket.getLocalPort();
153 }
154 if (portFile != null) {
155 Writer w = new OutputStreamWriter(new FileOutputStream(portFile));
156 w.write(Integer.toString(port));
157 w.close();
158 }
159 Thread thread = new ShutdownSocketThread(shutdown, shutdownSocket, framework);
160 thread.setDaemon(true);
161 thread.start();
162 }
163 } catch (Exception e) {
164 e.printStackTrace();
165 }
166 }
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)