JNI Signal Chaining and OWASP (Security)
Bernd Eckenfels
ecki at zusammenkunft.net
Tue Apr 16 01:04:45 UTC 2019
Just to state the obvious, the LD_PRELOAD risk does not go away when you don’t use the feature. I think this scan result should be ignored (at best). It is more a weakness of the Linux bintools/ld and not your extension.
(In normal usage there is no risk as an attacker who can modify the environment variable of a user also can execute malicious code directly, however there have been problems with environment variable handling in su, cgi and sshd in the past, so it might be worth not forgetting about it)
Gruss
Bernd
--
http://bernd.eckenfels.net
________________________________
Von: security-dev <security-dev-bounces at openjdk.java.net> im Auftrag von Christian Heinrich <christian.heinrich at cmlh.id.au>
Gesendet: Dienstag, April 16, 2019 2:55 AM
An: Hank Edwards
Cc: security-dev at openjdk.java.net
Betreff: Re: JNI Signal Chaining and OWASP (Security)
Hank,
On Fri, 12 Apr 2019 at 09:41, Hank Edwards <hedwards at crawfordtech.com> wrote:
>We've recently discovered that the use of C is considered a code injection risk by security analysis tools, such as ones that check for OWASP 2017.
I contribute to https://github.com/OWASP/Top10/pull/450
Can you please disclose the specific candidate[s] your security
analysis tool has cited within the OWASP Top Ten 2017 release?
--
Regards,
Christian Heinrich
http://cmlh.id.au/contact
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20190416/0fb4c710/attachment.htm>
More information about the security-dev
mailing list