ExamTopics Logo
Mail Us[email protected]
Menu
Oracle Discussions
exam questions

Exam 1z0-819 All Questions

View all questions & answers for the 1z0-819 exam
Go to Exam

Exam 1z0-819 topic 1 question 8 discussion

Actual exam question from Oracle's 1z0-819
Question #: 8
Topic #: 1
[All 1z0-819 Questions]

Your organization makes mlib.jar available to your cloud customers. While working on a new feature for mlib.jar, you see that the customer visible method public void enableService(String hostName, String portNumber) executes this code fragment

and you see this grant is in the security policy file:

What security vulnerability does this expose to your cloud customer's code?

  • A. privilege escalation attack against the OS running the customer code
  • B. SQL injection attack against the specified host and port
  • C. XML injection attack against any mlib server
  • D. none because the customer code base must also be granted SocketPermission
  • E. denial of service attack against any reachable machine
Show Suggested Answer Hide Answer
Suggested Answer: E 🗳️
by Mukes877 at May 19, 2023, 9:21 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Stavok
Highly Voted 1 year, 11 months ago
Selected Answer: E
The correct answer is E. denial of service attack against any reachable machine. The code fragment shows that the enableService method uses the AccessController.doPrivileged method to create a new Socket with the specified hostname and portNumber. The security policy file grants the codebase permission to connect to any host using SocketPermission. This means that an attacker could potentially use this method to repeatedly create connections to any reachable machine, overwhelming its resources and causing a denial of service attack.
upvoted 7 times
lmocanasu
1 year, 9 months ago
The code and the security policy only grant the permission to create socket connections (java.io.SocketPermission "*","connect") from the code in mlib.jar. It doesn't grant any specific permissions to perform denial of service (DoS) attacks or other malicious activities. Therefore, option E is not a valid security vulnerability exposed by this code and policy. The primary security concern in this scenario is privilege escalation (option A), where the code in mlib.jar could potentially execute operations with elevated privileges on the customer's system. Options B and C are not directly relevant to the given code and policy, and option D is not accurate as it suggests that the customer code must also be granted SocketPermission, which is not necessary for the vulnerability described in option A.
upvoted 1 times
...
...
ASPushkin
Most Recent 9 months ago
Selected Answer: E
Any customer can call customer visible enableService(String hostName, String portNumber) "This means that an attacker could potentially use this method to repeatedly create connections to any reachable machine, overwhelming its resources and causing a denial of service attack"
upvoted 1 times
...
aruni_mishra
1 year ago
Denial of service attack against any reachable host: Letting socket connections to be opened to any host has the potential to cause a denial of service attack against that host.
upvoted 1 times
...
rami_mlaiel
1 year, 2 months ago
Selected Answer: A
Option A is correct because it pertains to full access being granted to the file.
upvoted 1 times
...
d7bb0b2
1 year, 5 months ago
The security vulnerability exposed to your cloud customer's code in this scenario is E. denial of service attack against any reachable machine. The SocketPermission "*", "connect"; grant in the security policy file allows the mlib.jar to establish a network connection to any host. If a malicious user has the ability to control the hostName and portNumber parameters of the enableService method, they could potentially create numerous connections to a specific host, thereby causing a Denial of Service (DoS) attack. This could make the targeted machine unavailable by flooding it with network requests. Please note that this is a potential risk, and actual exploitation would depend on various factors, including the control a malicious user has over the hostName and portNumber parameters, and the resilience of the targeted system.
upvoted 1 times
...
Ashan_Ozlov
1 year, 9 months ago
Selected Answer: A
Based on the fact that this has more to do with file access permissions I think option A makes sense, though there is potential for a DoS attack due to improper file handling I think A is more suited as the possibly most obvious vulnerability
upvoted 1 times
...
Mukes877
2 years, 1 month ago
Selected Answer: A
Right answer is A. B will not because The security vulnerability described in option B, an SQL injection attack against the specified host and port, is not applicable in this scenario.
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel