[DERBY-6619] After silently swallowing SecurityExceptions, Derby can leak class loaders - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 10.11.1.3, 10.12.1.1
Component/s: Services
Labels:
None

Urgency:
Normal
Bug behavior facts:

Security

Description

As part of the fix for ~~DERBY-3745~~, Derby silently swallows security exceptions and leaks class loaders. This can give rise to denial-of-service attacks. At a minimum, Derby should report the swallowed exceptions so that the security policy can be corrected and the application can be hardened against this attack. The swallowing occurs at these locations:

org.apache.derby.impl.services.timer.SingletonTimerFactory run Catch java.lang.SecurityException 0 line 175
org.apache.derby.impl.services.timer.SingletonTimerFactory run Catch java.lang.SecurityException 1 line 158

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

derby-6619.status
18/Aug/14 22:01
1 kB
Dag H. Wanvik
derby-6619.diff
18/Aug/14 22:08
8 kB
Dag H. Wanvik
derby.log
18/Aug/14 22:13
15 kB
Dag H. Wanvik
derby-6619b.diff
19/Aug/14 15:38
15 kB
Dag H. Wanvik
derby-6619c.diff
19/Aug/14 17:02
19 kB
Dag H. Wanvik
system-loader.diff
22/Aug/14 11:20
2 kB
Knut Anders Hatlen
derby-6619-2.diff
22/Aug/14 23:58
43 kB
Dag H. Wanvik
derby-6619-2b.diff
25/Aug/14 16:39
43 kB
Dag H. Wanvik
derby-6619-2-refinement.diff
25/Aug/14 17:26
2 kB
Dag H. Wanvik
comments.diff
26/Aug/14 09:16
3 kB
Knut Anders Hatlen

Issue Links

relates to

DERBY-3745 Derby can leak classloaders in an app server environment

Closed

DERBY-6107 Investigate why setting a login timeout causes NativeAuthenticationServiceTest to fail when run in a suite

Closed

Activity

People

Assignee:: Dag H. Wanvik

Reporter:: Richard N. Hillegas

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 17/Jun/14 14:13

Updated:: 09/Sep/16 09:53

Resolved:: 25/Aug/14 17:59