|Re: xalan_2.7.1 flagged for possible security violation [message #1220647 is a reply to message #1220643]
||Thu, 12 December 2013 15:20
| Patrick Rusk
Registered: June 2012
I have looked into this a bit more and am definitely confused by one thing, and slighly concerned about it, too.|
The jar referenced in that directory is called "org.apache.xalan_2.7.1.v201005080400.jar", which is the exact name of the standard plug-in that is found in, say, the Eclipse IDE for Java EE Developers (4.3.1) plugins directory. Yet, the jar downloaded from the Orbit site is two bytes larger, and a binary diff shows tons of differences.
That could certainly be accounted for if someone recompiled the code intentionally and innocently, but why have "v201005080400" in there, rather than the date and time of the actual recompile?
Again, I could think of potentially innocent reasons to do that, but is there any chance that someone has deliberately constructed a mischievous file and put it there?
If the file on the Orbit site was an identical binary, I would definitely regard this as a false positive. I was pretty surprised that it wasn't identical.
|Re: xalan_2.7.1 flagged for possible security violation [message #1231384 is a reply to message #1220452]
||Tue, 14 January 2014 09:39
| Gunnar Wagenknecht
Registered: July 2009
On 2013-12-11 19:46:00 +0000, Patrick Rusk said:
> My company's security infrastructure recently flagged...
> ..as having a potential Java_Deserialization_Privilege_Escalation
I'm afraid that your company's security infrastructure needs to unveil
more details about the found vulnerability. Privilege escalation
usually requires a flaw/vulnerability in the JRE. The JRE is creating
the sandbox out of which malicious code wants to escape.
Frankly, I think that blocking download.eclipse.org may not help to
address any of such vulnerabilities. You need to update the JRE
installations and/or block *all* internet sites distributing untrusted
Powered by FUDForum
. Page generated in 0.02048 seconds