river-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thomas Vinod Johnson (JIRA)" <j...@apache.org>
Subject [jira] Work started: (RIVER-205) LookupDiscovery can give untrusted code access to privileged threads
Date Tue, 04 Mar 2008 16:07:40 GMT

     [ https://issues.apache.org/jira/browse/RIVER-205?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Work on RIVER-205 started by Thomas Vinod Johnson.

> LookupDiscovery can give untrusted code access to privileged threads
> --------------------------------------------------------------------
>                 Key: RIVER-205
>                 URL: https://issues.apache.org/jira/browse/RIVER-205
>             Project: River
>          Issue Type: Bug
>      Security Level: Security risk, visible to anyone(Issues identified as security risk
but for which a patch is available) 
>          Components: net_jini_discovery
>            Reporter: Ron Mann
>            Assignee: Thomas Vinod Johnson
>            Priority: Minor
>             Fix For: AR2
> Bugtraq ID [6357961|http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6357961]
> LookupDiscovery uses a TaskManager and WakeupManager instance which it may retrieve from
a Configuration object that is passed to it at construction time. Some tasks that it generates
using these utilities (DecodeAnnouncementTask, UnicastDiscoveryTask) are done within a thread
with raised privileges. If the TaskManager and WakeupManager needs to spawn threads to dispatch
the task, they will be spawned with the same security context as the privileged thread. Untrusted
code can construct a LookupDiscovery instance with a Configuration object that returns TaskManager
and WakeupManager instances that it has a handle to. It can then add new tasks (using say
dynamic proxy or other trusted code) to its TaskManager and WakeupManager instances, which
get executed with the security context of the privileged LookupDiscovery thread.
> Also note that the LookupDiscovery thread which generates the tasks retains the DomainCombiner
that was present at the time of instantiation, so there is the theoretical possibility of
exploiting, say the JAAS Subject if the combiner were a SubjectDomainCombiner.
> Suggested Fix:
> LookupDiscovery should restore the security context (that it snap shots at instantiation
time) before it adds tasks to TaskManager and WakeupManager. We need to ensure that existing
operations within those tasks do not need elevated privilege. If they do, those operations
may be performed in doPrivileged blocks.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message