You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-dev@db.apache.org by "Rick Hillegas (JIRA)" <ji...@apache.org> on 2014/06/20 16:31:27 UTC
[jira] [Commented] (DERBY-6630) Applications can use
JCECipherFactory to elevate their privileges to those granted to Derby
[ https://issues.apache.org/jira/browse/DERBY-6630?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14038844#comment-14038844 ]
Rick Hillegas commented on DERBY-6630:
--------------------------------------
The following code in this file should be protected from execution by the application:
{noformat}
org.apache.derby.impl.services.jce.JCECipherFactory init java.security.AccessController.doPrivileged line 552
org.apache.derby.impl.services.jce.JCECipherFactory privAccessFile java.security.AccessController.doPrivileged line 1040
org.apache.derby.impl.services.jce.JCECipherFactory privAccessGetInputStream java.security.AccessController.doPrivileged line 1063
org.apache.derby.impl.services.jce.JCECipherFactory run java.lang.Class.newInstance line 861
{noformat}
> Applications can use JCECipherFactory to elevate their privileges to those granted to Derby
> -------------------------------------------------------------------------------------------
>
> Key: DERBY-6630
> URL: https://issues.apache.org/jira/browse/DERBY-6630
> Project: Derby
> Issue Type: Bug
> Components: Services
> Affects Versions: 10.11.0.0
> Reporter: Rick Hillegas
>
> JCECipherFactory.run() performs security-sensitive operations. It is executed in a privilege block by the init() method, which is, in turn, executed by the public constructor. The class and its corresponding factory are public, which means that any code running in the same JVM can run this security-sensitive code with the privileges granted to Derby.
--
This message was sent by Atlassian JIRA
(v6.2#6252)