You are viewing a plain text version of this content. The canonical link for it is here.

Posted to derby-dev@db.apache.org by "Rick Hillegas (JIRA)" <ji...@apache.org> on 2014/06/20 18:38:25 UTC

[jira] [Created] (DERBY-6631) FileMonitor can be used to elevate an application's privileges

Rick Hillegas created DERBY-6631:
------------------------------------

             Summary: FileMonitor can be used to elevate an application's privileges
                 Key: DERBY-6631
                 URL: https://issues.apache.org/jira/browse/DERBY-6631
             Project: Derby
          Issue Type: Bug
          Components: Services
    Affects Versions: 10.11.0.0
            Reporter: Rick Hillegas


Various vulnerabilities in FileMonitor allow applications to perform security-sensitive operations with the elevated privileges granted to Derby:

getDaemonThread() - The application can call this method in order to create threads, using Derby's elevated privileges.

getJVMProperty() -  The application can call this in order to read system properties using Derby's elevated privileges.

setThreadPriority() - The application can call this method to change the priority of a daemon thread it has created. This call will execute with Derby's elevated privileges.




--
This message was sent by Atlassian JIRA
(v6.2#6252)