You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@karaf.apache.org by "Jean-Baptiste Onofré (JIRA)" <ji...@apache.org> on 2015/12/15 16:15:46 UTC
[jira] [Commented] (KARAF-4201) Often Misused: Authentication
[ https://issues.apache.org/jira/browse/KARAF-4201?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15058190#comment-15058190 ]
Jean-Baptiste Onofré commented on KARAF-4201:
---------------------------------------------
Thanks for the report, we will find a workaround.
> Often Misused: Authentication
> -----------------------------
>
> Key: KARAF-4201
> URL: https://issues.apache.org/jira/browse/KARAF-4201
> Project: Karaf
> Issue Type: Bug
> Affects Versions: 4.0.3
> Reporter: Eduardo Aguinaga
>
> HP Fortify and SciTools Understand were used to perform an application security scan on the karaf source code.
> The information returned by the call to getByName() on line 150 is not trustworthy. Attackers can spoof DNS entries.
> File: main/src/main/java/org/apache/karaf/main/InstanceHelper.java
> Line: 150
> InstanceHelper.java, lines 142-166:
> {code}
> 142 static void setupShutdown(ConfigProperties config, Framework framework) {
> 143 writePid(config.pidFile);
> 144 try {
> 145 int port = config.shutdownPort;
> 146 String host = config.shutdownHost;
> 147 String portFile = config.portFile;
> 148 final String shutdown = config.shutdownCommand;
> 149 if (port >= 0) {
> 150 ServerSocket shutdownSocket = new ServerSocket(port, 1, InetAddress.getByName(host));
> 151 if (port == 0) {
> 152 port = shutdownSocket.getLocalPort();
> 153 }
> 154 if (portFile != null) {
> 155 Writer w = new OutputStreamWriter(new FileOutputStream(portFile));
> 156 w.write(Integer.toString(port));
> 157 w.close();
> 158 }
> 159 Thread thread = new ShutdownSocketThread(shutdown, shutdownSocket, framework);
> 160 thread.setDaemon(true);
> 161 thread.start();
> 162 }
> 163 } catch (Exception e) {
> 164 e.printStackTrace();
> 165 }
> 166 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)