You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@karaf.apache.org by "Jean-Baptiste Onofré (JIRA)" <ji...@apache.org> on 2015/12/15 16:15:46 UTC

[jira] [Commented] (KARAF-4201) Often Misused: Authentication

    [ https://issues.apache.org/jira/browse/KARAF-4201?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15058190#comment-15058190 ] 

Jean-Baptiste Onofré commented on KARAF-4201:
---------------------------------------------

Thanks for the report, we will find a workaround.

> Often Misused: Authentication
> -----------------------------
>
>                 Key: KARAF-4201
>                 URL: https://issues.apache.org/jira/browse/KARAF-4201
>             Project: Karaf
>          Issue Type: Bug
>    Affects Versions: 4.0.3
>            Reporter: Eduardo Aguinaga
>
> HP Fortify and SciTools Understand were used to perform an application security scan on the karaf source code.
> The information returned by the call to getByName() on line 150 is not trustworthy. Attackers can spoof DNS entries. 
> File: main/src/main/java/org/apache/karaf/main/InstanceHelper.java
> Line: 150
> InstanceHelper.java, lines 142-166:
> {code}
> 142 static void setupShutdown(ConfigProperties config, Framework framework) {
> 143     writePid(config.pidFile);
> 144     try {
> 145         int port = config.shutdownPort;
> 146         String host = config.shutdownHost;
> 147         String portFile = config.portFile;
> 148         final String shutdown = config.shutdownCommand;
> 149         if (port >= 0) {
> 150             ServerSocket shutdownSocket = new ServerSocket(port, 1, InetAddress.getByName(host));
> 151             if (port == 0) {
> 152                 port = shutdownSocket.getLocalPort();
> 153             }
> 154             if (portFile != null) {
> 155                 Writer w = new OutputStreamWriter(new FileOutputStream(portFile));
> 156                 w.write(Integer.toString(port));
> 157                 w.close();
> 158             }
> 159             Thread thread = new ShutdownSocketThread(shutdown, shutdownSocket, framework);
> 160             thread.setDaemon(true);
> 161             thread.start();
> 162         }
> 163     } catch (Exception e) {
> 164         e.printStackTrace();
> 165     }
> 166 }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)