CWE
CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.1)  

CWE-600: Uncaught Exception in Servlet

 
Uncaught Exception in Servlet
Weakness ID: 600 (Weakness Base)Status: Draft
+ Description

Description Summary

The Servlet does not catch all exceptions, which may reveal sensitive debugging information.

Extended Description

When a Servlet throws an exception, the default error response the Servlet container sends back to the user typically includes debugging information. This information is of great value to an attacker. For example, a stack trace might show the attacker a malformed SQL query string, the type of database being used, and the version of the application container. This information enables the attacker to target known vulnerabilities in these components.

+ Alternate Terms
Missing Catch Block
+ Time of Introduction
  • Implementation
+ Common Consequences
ScopeEffect
Confidentiality
Availability

Technical Impact: Read application data; DoS: crash / exit / restart

+ Demonstrative Examples

Example 1

In the following method a DNS lookup failure will cause the Servlet to throw an exception.

(Bad Code)
Example Language: Java 
protected void doPost (HttpServletRequest req, HttpServletResponse res) throws IOException {
String ip = req.getRemoteAddr();
InetAddress addr = InetAddress.getByName(ip);
...
out.println("hello " + addr.getHostName());
}
+ Potential Mitigations

Implement Exception blocks to handle all types of Exceptions.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base248Uncaught Exception
Research Concepts (primary)1000
ChildOfCategoryCategory388Error Handling
Development Concepts (primary)699
ChildOfCategoryCategory851CERT Java Secure Coding Section 06 - Exceptional Behavior (ERR)
Weaknesses Addressed by the CERT Java Secure Coding Standard (primary)844
CanPrecedeWeakness BaseWeakness Base209Information Exposure Through an Error Message
Research Concepts1000
PeerOfWeakness ClassWeakness Class390Detection of Error Condition Without Action
Research Concepts1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CERT Java Secure CodingERR01-JDo not allow exceptions to expose sensitive information
+ Maintenance Notes

The "Missing Catch Block" concept is probably broader than just Servlets, but the broader concept is not sufficiently covered in CWE.

+ Content History
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Potential_Mitigations, Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other_Notes
2009-03-10CWE Content TeamMITREInternal
updated Alternate_Terms, Description, Maintenance_Notes, Name, Other_Notes, Relationships
2009-05-27CWE Content TeamMITREInternal
updated Demonstrative_Examples
2010-12-13CWE Content TeamMITREInternal
updated Description, Name
2011-03-29CWE Content TeamMITREInternal
updated Relationships
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences, Relationships, Taxonomy_Mappings
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Missing Catch Block
2009-03-10Failure to Catch All Exceptions (Missing Catch Block)
2010-12-13Failure to Catch All Exceptions in Servlet
Back to top
Page Last Updated: September 12, 2011
 

CWE is a Software Assurance strategic initiative co-sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

This Web site is sponsored and managed by The MITRE Corporation to enable stakeholder collaboration. Copyright © 2006-2012, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

Contact cwe@mitre.org for more information.
Privacy policy
Terms of use
Contact us