[xSocket-develop] A xSocket security vulnerability
Status: Inactive
Brought to you by:
grro
Menu
▾
▴
[xSocket-develop] A xSocket security vulnerability
|
From: Xiaoqin Fu <xia...@gm...> - 2019-08-03 18:44:56
|
Dear developers:
I am a Ph.D. student at Washington State University. I applied dynamic
taint analyzer (distTaint) to xSocket (version 2.8.5). And then I find a
security vulnerability from tainted paths:
public IoSocketDispatcher(AbstractMemoryManager memoryManager, String
name) {
......
try {
selector = Selector.open();
} catch (IOException ioe) {
String text = "exception occured while opening selector. Reason: " +
ioe.toString();
LOG.isLoggable(Level.SEVERE)
LOG.severe(text);
throw new RuntimeException(text, ioe);
}
......
}
Sensitive information about the selector may be leaked. The
LOG.isLoggable(Level.SEVERE) conditional statement should be added
public IoSocketDispatcher(AbstractMemoryManager memoryManager, String name)
{
......
try {
selector = Selector.open();
} catch (IOException ioe) {
String text = "exception occured while opening selector. Reason: " +
ioe.toString();
if (LOG.isLoggable(Level.SEVERE))
LOG.severe(text);
throw new RuntimeException(text, ioe);
}
......
}
Please help me confirm it.
Thank you very much!
Yours sincerely
Xiaoqin Fu
|
