[jboss-jira] [JBoss JIRA] Commented: (GPD-278) Security issue allows arbitrary java code to be deployed and executed
Jervis Liu (JIRA)
jira-events at lists.jboss.org
Tue Dec 16 20:15:54 EST 2008
[ https://jira.jboss.org/jira/browse/GPD-278?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12442996#action_12442996 ]
Jervis Liu commented on GPD-278:
--------------------------------
How about the workaround I suggested in SOA-1065. It is not ideal, but it fits for a "micro/patch release.", it is also consistent with the approach taken by JBOSS ESB.
"A quick fix can be sth like what has been done in ESB, i.e., having a property called "supportMessageBasedScripting" in jBPM process configuration file. Turning this flag on means the owner of this piece of code is fully aware of what his/her process will be doing and security related implications. By default this flag is turned off. Please refer to https://jira.jboss.org/jira/browse/JBESB-1561
But I agree that a long term proper fix would have to have SecurityManager involved. "
> Security issue allows arbitrary java code to be deployed and executed
> ---------------------------------------------------------------------
>
> Key: GPD-278
> URL: https://jira.jboss.org/jira/browse/GPD-278
> Project: JBoss jBPM GPD
> Issue Type: Bug
> Components: jpdl
> Reporter: Thomas Diesler
> Assignee: Koen Aers
>
> The GPD circumvents the JBoss deployer architecture and hence allows arbitrary code to be executed on the AS
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list