[ https://issues.apache.org/jira/browse/KARAF-4201?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jean-Baptiste Onofré updated KARAF-4201: ---------------------------------------- Fix Version/s: (was: 4.0.7) 4.0.8 > Often Misused: Authentication > ----------------------------- > > Key: KARAF-4201 > URL: https://issues.apache.org/jira/browse/KARAF-4201 > Project: Karaf > Issue Type: Bug > Affects Versions: 4.0.3 > Reporter: Eduardo Aguinaga > Fix For: 4.1.0, 4.0.8 > > > HP Fortify and SciTools Understand were used to perform an application > security scan on the karaf source code. > The information returned by the call to getByName() on line 150 is not > trustworthy. Attackers can spoof DNS entries. > File: main/src/main/java/org/apache/karaf/main/InstanceHelper.java > Line: 150 > InstanceHelper.java, lines 142-166: > {code} > 142 static void setupShutdown(ConfigProperties config, Framework framework) { > 143 writePid(config.pidFile); > 144 try { > 145 int port = config.shutdownPort; > 146 String host = config.shutdownHost; > 147 String portFile = config.portFile; > 148 final String shutdown = config.shutdownCommand; > 149 if (port >= 0) { > 150 ServerSocket shutdownSocket = new ServerSocket(port, 1, > InetAddress.getByName(host)); > 151 if (port == 0) { > 152 port = shutdownSocket.getLocalPort(); > 153 } > 154 if (portFile != null) { > 155 Writer w = new OutputStreamWriter(new > FileOutputStream(portFile)); > 156 w.write(Integer.toString(port)); > 157 w.close(); > 158 } > 159 Thread thread = new ShutdownSocketThread(shutdown, > shutdownSocket, framework); > 160 thread.setDaemon(true); > 161 thread.start(); > 162 } > 163 } catch (Exception e) { > 164 e.printStackTrace(); > 165 } > 166 } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)