[DERBY-6630] Applications can use JCECipherFactory to elevate their privileges to those granted to Derby - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 10.11.1.1
Fix Version/s: 10.12.1.1
Component/s: Services
Labels:
- derby_backport_reject_10_11

Urgency:
Normal
Bug behavior facts:

Security

Description

JCECipherFactory.run() performs security-sensitive operations. It is executed in a privilege block by the init() method, which is, in turn, executed by the public constructor. The class and its corresponding factory are public, which means that any code running in the same JVM can run this security-sensitive code with the privileges granted to Derby.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

derby-6630-01-aa-usederbyinternals.diff
29/Sep/14 13:47
3 kB
Richard N. Hillegas

Issue Links

relates to

DERBY-6648 Application code should not be able to call ContextService.getContextOrNull()

Closed

Activity

People

Assignee:: Richard N. Hillegas

Reporter:: Richard N. Hillegas

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 20/Jun/14 14:23

Updated:: 02/Oct/14 20:36

Resolved:: 29/Sep/14 18:54