You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@karaf.apache.org by "Jean-Baptiste Onofré (JIRA)" <ji...@apache.org> on 2015/12/15 16:15:46 UTC

[jira] [Updated] (KARAF-4201) Often Misused: Authentication

     [ https://issues.apache.org/jira/browse/KARAF-4201?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jean-Baptiste Onofré updated KARAF-4201:
----------------------------------------
    Description: 
HP Fortify and SciTools Understand were used to perform an application security scan on the karaf source code.

The information returned by the call to getByName() on line 150 is not trustworthy. Attackers can spoof DNS entries. 

File: main/src/main/java/org/apache/karaf/main/InstanceHelper.java
Line: 150

InstanceHelper.java, lines 142-166:
{code}
142 static void setupShutdown(ConfigProperties config, Framework framework) {
143     writePid(config.pidFile);
144     try {
145         int port = config.shutdownPort;
146         String host = config.shutdownHost;
147         String portFile = config.portFile;
148         final String shutdown = config.shutdownCommand;
149         if (port >= 0) {
150             ServerSocket shutdownSocket = new ServerSocket(port, 1, InetAddress.getByName(host));
151             if (port == 0) {
152                 port = shutdownSocket.getLocalPort();
153             }
154             if (portFile != null) {
155                 Writer w = new OutputStreamWriter(new FileOutputStream(portFile));
156                 w.write(Integer.toString(port));
157                 w.close();
158             }
159             Thread thread = new ShutdownSocketThread(shutdown, shutdownSocket, framework);
160             thread.setDaemon(true);
161             thread.start();
162         }
163     } catch (Exception e) {
164         e.printStackTrace();
165     }
166 }
{code}

  was:
HP Fortify and SciTools Understand were used to perform an application security scan on the karaf source code.

The information returned by the call to getByName() on line 150 is not trustworthy. Attackers can spoof DNS entries. 

File: main/src/main/java/org/apache/karaf/main/InstanceHelper.java
Line: 150

InstanceHelper.java, lines 142-166:
142 static void setupShutdown(ConfigProperties config, Framework framework) {
143     writePid(config.pidFile);
144     try {
145         int port = config.shutdownPort;
146         String host = config.shutdownHost;
147         String portFile = config.portFile;
148         final String shutdown = config.shutdownCommand;
149         if (port >= 0) {
150             ServerSocket shutdownSocket = new ServerSocket(port, 1, InetAddress.getByName(host));
151             if (port == 0) {
152                 port = shutdownSocket.getLocalPort();
153             }
154             if (portFile != null) {
155                 Writer w = new OutputStreamWriter(new FileOutputStream(portFile));
156                 w.write(Integer.toString(port));
157                 w.close();
158             }
159             Thread thread = new ShutdownSocketThread(shutdown, shutdownSocket, framework);
160             thread.setDaemon(true);
161             thread.start();
162         }
163     } catch (Exception e) {
164         e.printStackTrace();
165     }
166 }


> Often Misused: Authentication
> -----------------------------
>
>                 Key: KARAF-4201
>                 URL: https://issues.apache.org/jira/browse/KARAF-4201
>             Project: Karaf
>          Issue Type: Bug
>    Affects Versions: 4.0.3
>            Reporter: Eduardo Aguinaga
>
> HP Fortify and SciTools Understand were used to perform an application security scan on the karaf source code.
> The information returned by the call to getByName() on line 150 is not trustworthy. Attackers can spoof DNS entries. 
> File: main/src/main/java/org/apache/karaf/main/InstanceHelper.java
> Line: 150
> InstanceHelper.java, lines 142-166:
> {code}
> 142 static void setupShutdown(ConfigProperties config, Framework framework) {
> 143     writePid(config.pidFile);
> 144     try {
> 145         int port = config.shutdownPort;
> 146         String host = config.shutdownHost;
> 147         String portFile = config.portFile;
> 148         final String shutdown = config.shutdownCommand;
> 149         if (port >= 0) {
> 150             ServerSocket shutdownSocket = new ServerSocket(port, 1, InetAddress.getByName(host));
> 151             if (port == 0) {
> 152                 port = shutdownSocket.getLocalPort();
> 153             }
> 154             if (portFile != null) {
> 155                 Writer w = new OutputStreamWriter(new FileOutputStream(portFile));
> 156                 w.write(Integer.toString(port));
> 157                 w.close();
> 158             }
> 159             Thread thread = new ShutdownSocketThread(shutdown, shutdownSocket, framework);
> 160             thread.setDaemon(true);
> 161             thread.start();
> 162         }
> 163     } catch (Exception e) {
> 164         e.printStackTrace();
> 165     }
> 166 }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)