SocketFactory
vulnerability CVE-2011-3560
The HttpsURLConnection
class does not perform SecurityManager
checks in the setSSLSocketFactory
method. An untrusted Java™ application or applet that is running in a sandbox could use this flaw to
bypass connection restrictions that are defined in the policy. This
vulnerability is addressed in this release.
Note: Use
java.lang.RuntimePermission("setFactory")
to
update the Java security java.policy file
to include the "setFactory" permission, if it is not already there.
This permission is required for Java applications
or applets that need to set a particular SSLSocketFactory
.