[xSocket-develop] Dear developers: I am a Ph.D. student at Washington State University. I applied d
Status: Inactive
Brought to you by:
grro
Menu
▾
▴
[xSocket-develop] Dear developers: I am a Ph.D. student at Washington State University. I applied dynamic taint analyzer (distTaint) to xSocket (version 2.8.5). And then I find a security vulnerability from tainted paths: In org.xsocket.connection.IoSocketDispatcher,
|
From: Fu, X. <xia...@ws...> - 2019-08-09 00:30:48
|
Dear developers:
I am a Ph.D. student at Washington State University. I applied dynamic taint analyzer (distTaint) to xSocket (version 2.8.5). And then I find a security vulnerability from tainted paths:
In org.xsocket.connection.IoSocketDispatcher,
public IoSocketDispatcher(AbstractMemoryManager memoryManager, String name) {
......
try {
selector = Selector.open();
} catch (IOException ioe) {
String text = "exception occured while opening selector. Reason: " + ioe.toString();
LOG.isLoggable(Level.SEVERE)
LOG.severe(text);
throw new RuntimeException(text, ioe);
}
......
}
Sensitive information about the selector may be leaked. The LOG.isLoggable(Level.SEVERE) conditional statement should be added
public IoSocketDispatcher(AbstractMemoryManager memoryManager, String name) {
......
try {
selector = Selector.open();
} catch (IOException ioe) {
String text = "exception occured while opening selector. Reason: " + ioe.toString();
if (LOG.isLoggable(Level.SEVERE))
LOG.severe(text);
throw new RuntimeException(text, ioe);
}
......
}
Please help me confirm it and give it a CVE ID.
Thank you very much!
Yours sincerely
Xiaoqin Fu
|
