Re: [xSocket-develop] A xSocket security vulnerability
Status: Inactive
Brought to you by:
grro
Menu
▾
▴
Re: [xSocket-develop] A xSocket security vulnerability
|
From: Xiaoqin Fu <xia...@gm...> - 2019-08-13 04:52:13
|
Dear developers:
I am a Ph.D. student at Washington State University. I applied dynamic
taint analyzer (distTaint) to xSocket (version 2.8.5). And then I find a
security vulnerability from tainted paths:
public IoSocketDispatcher(AbstractMemoryManager memoryManager, String
name) {
......
try {
selector = Selector.open();
} catch (IOException ioe) {
String text = "exception occured while opening selector. Reason: " +
ioe.toString();
LOG.isLoggable(Level.SEVERE)
LOG.severe(text);
throw new RuntimeException(text, ioe);
}
......
}
Sensitive information about the selector may be leaked. The
LOG.isLoggable(Level.SEVERE) conditional statement should be added
public IoSocketDispatcher(AbstractMemoryManager memoryManager, String name)
{
......
try {
selector = Selector.open();
} catch (IOException ioe) {
String text = "exception occured while opening selector. Reason: " +
ioe.toString();
if (LOG.isLoggable(Level.SEVERE))
LOG.severe(text);
throw new RuntimeException(text, ioe);
}
......
}
It was recorded at https://sourceforge.net/p/xsocket/bugs/24/.
Please help me confirm it.
Thank you very much!
Yours sincerely
On Sat, Aug 3, 2019 at 11:44 AM Xiaoqin Fu <xia...@gm...> wrote:
> Dear developers:
> I am a Ph.D. student at Washington State University. I applied dynamic
> taint analyzer (distTaint) to xSocket (version 2.8.5). And then I find a
> security vulnerability from tainted paths:
> public IoSocketDispatcher(AbstractMemoryManager memoryManager, String
> name) {
> ......
> try {
> selector = Selector.open();
> } catch (IOException ioe) {
> String text = "exception occured while opening selector. Reason: " +
> ioe.toString();
> LOG.isLoggable(Level.SEVERE)
> LOG.severe(text);
> throw new RuntimeException(text, ioe);
> }
> ......
> }
> Sensitive information about the selector may be leaked. The
> LOG.isLoggable(Level.SEVERE) conditional statement should be added
> public IoSocketDispatcher(AbstractMemoryManager memoryManager, String
> name) {
> ......
> try {
> selector = Selector.open();
> } catch (IOException ioe) {
> String text = "exception occured while opening selector. Reason: " +
> ioe.toString();
> if (LOG.isLoggable(Level.SEVERE))
> LOG.severe(text);
> throw new RuntimeException(text, ioe);
> }
> ......
> }
>
> Please help me confirm it.
>
> Thank you very much!
> Yours sincerely
> Xiaoqin Fu
>
>
|
