VIEW SLICE: CWE-660: Weaknesses found in the Java Language
(Draft 9)
View ID
| Status: Draft 660 (View) | | Objective | This view (slice) covers issues that are found in Java that are not common to all languages. | | View Data | Filter Used: .//Applicable_Platforms/Platform='Java' | CWEs in this view | | Total CWEs |
|---|
| Total | 70 | out of | 695 | | Views | 0 | out of | 14 | | Categories | 1 | out of | 64 | | Weaknesses | 69 | out of | 605 | | Compound_Elements | 0 | out of | 12 |
|
View Components View Components A |
B |
C |
D |
E |
F |
G |
H |
I |
J |
K |
L |
M |
N |
O |
P |
Q |
R |
S |
T |
U |
V |
W |
X |
Y |
Z
Weakness ID
| Status: Draft 582 (Weakness Variant) | | Description | Summary The program declares an
array public, final, and static, which is not sufficient to prevent the array's contents from being modified. Extended Description Because arrays are mutable objects, the final constraint requires
that the array object itself be assigned only once, but makes no guarantees about the values of
the array elements. Since the array is public, a malicious program can change the values stored
in the array.
| | Weakness Ordinality | Primary (Weakness exists independent of other weaknesses) | | Potential Mitigations | In most situations the array should be made private. | Demonstrative
Examples | The following Java Applet code mistakenly declares an array public, final
and static. public final class urlTool extends Applet {
public final static URL[] urls;
...
} Mobile code, in this case a Java Applet, is code that is transmitted
across a network and executed on a remote machine. Because mobile code
developers have little if any control of the environment in which their code
will execute, special security concerns become relevant. One of the biggest
environmental threats results from the risk that the mobile code will run
side-by-side with other, potentially malicious, mobile code. Because all of the
popular web browsers execute code from multiple sources together in the same
JVM, many of the security guidelines for mobile code are focused on preventing
manipulation of your objects' state and behavior by adversaries who have access
to the same virtual machine where your program is running. | | Context Notes | In most cases an array declared public, final and static is a bug. | | Relationships | | | Applicable Platforms | Java |
Weakness ID
| Status: Draft 481 (Weakness Variant) | | Description | Summary The code uses an operator for assignment when the intention was to perform a comparison. Extended Description In many languages the compare statement is very close in appearance to the
assignment statement and are often confused.
| | Likelihood of Exploit | Low | | Potential Mitigations | Pre-design: Through Build: Many IDEs and static analysis products will
detect this problem. Implementation: Place constants on the left. If one attempts to assign a
constant with a variable, the compiler will of course produce an error. | Demonstrative
Examples | void called(int foo){
if (foo=1) printf("foo\n");
}
int main() {
called(2);
return 0;
} | | Context Notes | This bug is generally as a result of a typo and usually should cause obvious
problems with program execution. If the comparison is in an if statement, the if
statement will always return the value of the right-hand side variable. | | Relationships | | | Source Taxonomies | CLASP - Assigning instead of comparing | | Applicable Platforms | C C++ Java .NET |
Weakness ID
| Status: Draft 572 (Weakness Variant) | | Description | Summary The program calls a thread's run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee. | | Affected Resource | System Process | Demonstrative
Examples | The following excerpt from a Java program mistakenly calls run() instead of start(). Thread thr = new Thread() {
public void run() {
...
}
};
thr.run(); | | Context Notes | In most cases a direct call to a Thread object's run() method is a bug. The programmer
intended to begin a new thread of control, but accidentally called run() instead of start(), so
the run() method will execute in the caller's thread of control. | | Relationships | | | Applicable Platforms | Java |
Weakness ID
| Status: Draft 580 (Weakness Variant) | | Description | Summary The software contains a clone() method that fails to call super.clone() to obtain the new
object. | Demonstrative
Examples | The following two classes demonstrate a bug introduced by failing to call
super.clone(). Because of the way Kibitzer implements clone(), FancyKibitzer's clone
method will return an object of type Kibitzer instead of FancyKibitzer. Java Example: public class Kibitzer {
public Object clone() throws CloneNotSupportedException {
Object returnMe = new Kibitzer();
...
}
}
public class FancyKibitzer extends Kibitzer{
public Object clone() throws CloneNotSupportedException {
Object returnMe = super.clone();
...
}
} | | Context Notes | All implementations of clone() should obtain the new object by calling super.clone().
If a class fails to follow this convention, a subclass's clone() method will return an object of
the wrong type. It is also a good idea to declare your clone method as final. You may not want users
inheriting your class to tamper with the clone method. In some cases, you can eliminate the clone
method altogether in some cases and use copy constructors. | | Relationships | | | Applicable Platforms | Java |
Weakness ID
| Status: Draft 486 (Weakness Variant) | | Description | Summary The program compares classes by
name, which can cause it to use the wrong class if two
different classes are treated as the same. | | Likelihood of Exploit | High | | Common Consequences | Authorization: If a program relies solely on the name of an object to
determine identity, it may execute the incorrect or unintended code. | | Potential Mitigations | Implementation: Use class equivalency to determine type. Rather than use the
class name to determine if an object is of a given type, use the getClass() method,
and == operator. | Demonstrative
Examples | if (inputClass.getClass().getName().equals("TrustedClassName")) {
// Do something assuming you trust inputClass
// ...
} | | Context Notes | If the decision to trust the methods and data of an object is based on the
name of a class, it is possible for malicious users to send objects of the same name as
trusted classes and thereby gain the trust afforded to known classes and types. | | Relationships | | | Source Taxonomies | 7 Pernicious Kingdoms - Comparing Classes by Name CLASP - Comparing classes by name | | Applicable Platforms | Java |
Weakness ID
| Status: Draft 493 (Weakness Variant) | | Description | Summary The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values. | | Potential Mitigations | Declare all public fields final when possible. | Demonstrative
Examples | The following Java Applet code mistakenly declares a member variable public but not
final. public final class urlTool extends Applet {
public URL url;
...
} Mobile code, in this case a Java Applet, is code that is transmitted across a
network and executed on a remote machine. Because mobile code developers have little if
any control of the environment in which their code will execute, special security concerns
become relevant. One of the biggest environmental threats results from the risk that the
mobile code will run side-by-side with other, potentially malicious, mobile code. Because
all of the popular web browsers execute code from multiple sources together in the same
JVM, many of the security guidelines for mobile code are focused on preventing
manipulation of your objects' state and behavior by adversaries who have access to the
same virtual machine where your program is running. | | Context Notes | All public member variables in an Applet and in classes used by an Applet should be
declared final to prevent an attacker from manipulating or gaining unauthorized access to the
internal state of the Applet. | | Relationships | | | Source Taxonomies | 7 Pernicious Kingdoms - Mobile Code: Non-Final Public Field | | Applicable Platforms | Java |
Weakness ID
| Status: Draft 396 (Weakness Base) | | Description | Summary Catching overly broad exceptions promotes complex error handling code that is more likely
to contain security vulnerabilities. | Demonstrative
Examples | The following code excerpt handles three types of exceptions in an identical
fashion. try { doExchange(); }
catch (IOException e) {
logger.error("doExchange failed", e);
}
catch (InvocationTargetException e) {
logger.error("doExchange failed", e);
}
catch (SQLException e) {
logger.error("doExchange failed", e);
} At first blush, it may seem preferable to deal with these exceptions in a single
catch block, as follows: try { doExchange(); } catch (Exception e) {
logger.error("doExchange failed", e); } However, if doExchange() is modified to throw a
new type of exception that should be handled in some different kind of way, the broad
catch block will prevent the compiler from pointing out the situation. Further, the new
catch block will now also handle exceptions derived from RuntimeException such as
ClassCastException, and NullPointerException, which is not the programmer's intent.
| | Context Notes | Multiple catch blocks can get ugly and repetitive, but "condensing" catch blocks by
catching a high-level class like Exception can obscure exceptions that deserve special treatment
or that should not be caught at this point in the program. Catching an overly broad exception
essentially defeats the purpose of Java's typed exceptions, and can become particularly dangerous
if the program grows and begins to throw new types of exceptions. The new exception types will not
receive any attention. | | Relationships | | | Source Taxonomies | 7 Pernicious Kingdoms - Overly-Broad Catch Block | | Applicable Platforms | C C++ Java .NET |
Weakness ID
| Status: Draft 397 (Weakness Base) | | Description | Summary Throwing overly broad exceptions promotes complex error handling code that is more likely
to contain security vulnerabilities. | Demonstrative
Examples | The following method throws three types of exceptions. public void doExchange() throws IOException, InvocationTargetException, SQLException {
...
} While it might seem tidier to write public void doExchange() throws Exception { ...
} doing so hampers the caller's ability to understand and handle the exceptions that
occur. Further, if a later revision of doExchange() introduces a new type of exception
that should be treated differently than previous exceptions, there is no easy way to
enforce this requirement. | | Context Notes | Declaring a method to throw Exception or Throwable makes it difficult for callers to do
good error handling and error recovery. Java's exception mechanism is set up to make it easy for
callers to anticipate what can go wrong and write code to handle each specific exceptional
circumstance. Declaring that a method throws a generic form of exception defeats this system. | | Relationships | | | Source Taxonomies | 7 Pernicious Kingdoms - Overly-Broad Throws Declaration | | Applicable Platforms | C C++ Java .NET |
Weakness ID
| Status: Draft 111 (Weakness Base) | | Description | Summary When a Java application uses the Java Native Interface (JNI) to call code written in
another programming language, it can expose the application to weaknesses in that code, even if
those weaknesses cannot occur in Java. | | Weakness Ordinality | Primary (Weakness exists independent of other weaknesses) | | Causal Nature | Explicit (This is an explicit weakness resulting from behavior of the developer) | Demonstrative
Examples | The following code defines a class named Echo. The class declares one native method
(defined below), which uses C to echo commands entered on the console back to the user.
class Echo { public native void runEcho(); static { System.loadLibrary("echo"); } public
static void main(String[] args) { new Echo().runEcho(); } } The following C code defines
the native method implemented in the Echo class: Java Example: #include <jni.h>
#include "Echo.h"//the java class above compiled with javah
#include <stdio.h>
JNIEXPORT void JNICALL
Java_Echo_runEcho(JNIEnv *env, jobject obj)
{
char buf[64];
gets(buf);
printf(buf);
} Because the example is implemented in Java, it may appear that it is immune to
memory issues like buffer overflow vulnerabilities. Although Java does do a good job of
making memory operations safe, this protection does not extend to vulnerabilities
occurring in source code written in other languages that are accessed using the Java
Native Interface. Despite the memory protections offered in Java, the C code in this
example is vulnerable to a buffer overflow because it makes use of gets(), which does not
perform any bounds checking on its input. The Sun Java(TM) Tutorial provides the following
description of JNI [See Reference]: The JNI framework lets your native method utilize Java
objects in the same way that Java code uses these objects. A native method can create Java
objects, including arrays and strings, and then inspect and use these objects to perform
its tasks. A native method can also inspect and use objects created by Java application
code. A native method can even update Java objects that it created or that were passed to
it, and these updated objects are available to the Java application. Thus, both the native
language side and the Java side of an application can create, update, and access Java
objects and then share these objects between them. The vulnerability in the example above
could easily be detected through a source code audit of the native method implementation.
This may not be practical or possible depending on the availability of the C source code
and the way the project is built, but in many cases it may suffice. However, the ability
to share objects between Java and native methods expands the potential risk to much more
insidious cases where improper data handling in Java may lead to unexpected
vulnerabilities in native code or unsafe operations in native code corrupt data structures
in Java. Vulnerabilities in native code accessed through a Java application are typically
exploited in the same manner as they are in applications written in the native language.
The only challenge to such an attack is for the attacker to identify that the Java
application uses native code to perform certain operations. This can be accomplished in a
variety of ways, including identifying specific behaviors that are often implemented with
native code or by exploiting a system information leak in the Java application that
exposes its use of JNI [See Reference]. | | Context Notes | Native code is unprotected by the security features enforced by the runtime
environment, such as strong typing and array bounds checking. Many safety features that
programmers may take for granted simply do not apply for native code, so you must carefully review
all such code for potential problems. Other programming languages that may be more susceptible to
buffer overflows and other attacks, such as C or C++, usually implement native code.
Language-based encapsulation is broken. | | References | | | Relationships | | | Source Taxonomies | 7 Pernicious Kingdoms - Unsafe JNI | | Applicable Platforms | Java |
Weakness ID
| Status: Draft 609 (Weakness Base) | | Description | Summary The program uses double-checked locking to access a resource without the overhead of explicit synchronization, but the locking is insufficient. Extended Description Double-checked locking refers to the situation where a programmer checks to see if a
resource has been initialized, grabs a lock, checks again to see if the resource has been
initialized, and then performs the initialization if it has not occurred yet. This should not be done, as is not guaranteed
to work in all languages and on all architectures.
In summary, other
threads may not be operating inside the synchronous block and are not guaranteed to see the
operations execute in the same order as they would appear inside the synchronous block. | | Potential Mitigations | While double-checked locking can be achieved in some languages, it is inherently flawed
in Java before 1.5, and cannot be achieved without compromising platform independence. Before Java 1.5, only use of the synchronized keyword is known to work. Beginning in Java 1.5, use of the "volatile" keyword allows double-checked locking to work successfully, although there is some debate as to whether it achieves sufficient performance gains. See references. | Demonstrative
Examples | It may seem that the following bit of code achieves thread safety while
avoiding unnecessary synchronization... Java Example: if (helper == null) {
synchronized (this) {
if (helper == null) {
helper = new Helper();
}
}
}
return helper; The programmer wants to guarantee that only one
<code>Helper()</code> object is ever allocated, but does
not want to pay the cost of synchronization every time this code is
called. Let's say helper is not initialized. Then, thread A comes along, sees
that helper==null, and enters the synchronized block and begins to execute: If a second thread, thread B, takes over in the middle of this call and
helper has not finished running the constructor, then thread B may make calls on
helper while its fields hold incorrect values. | | Context Notes | | | References | | | Relationships | | | Source Taxonomies | Anonymous Tool Vendor (under NDA) - | | Applicable Platforms | Java | | Time of Introduction | Implementation |
Weakness ID
| Status: Draft 494 (Weakness Variant) | | Description | Summary The product downloads external
source or binaries and executes it without sufficiently
verifying the origin and integrity of the downloaded code. | | Likelihood of Exploit | Medium | | Potential Mitigations | Implementation: Avoid doing this without proper cryptographic safeguards. | Demonstrative
Examples | Java Example: URL[] classURLs= new URL[]{new URL("file:subdir/")};
URLClassLoader loader = new URLClassLoader(classURLs);
Class loadedClass = Class.forName("loadMe", true, loader); | | Context Notes | This is an unsafe practice and should not be performed unless one can use some type of
cryptographic protection to assure that the mobile code has not been altered. | | Relationships | | | Source Taxonomies | CLASP - Invoking untrusted mobile code | | Applicable Platforms | Java |
Weakness ID
| Status: Incomplete 462 (Weakness Base) | | Description | Summary Duplicate keys in associative lists can lead to non-unique keys being mistaken for an
error. | | Likelihood of Exploit | Low | | Potential Mitigations | Design: Use a hash table instead of an alist. Design: Use an alist which checks the uniqueness of hash keys with each entry before
inserting the entry. | | Context Notes | A duplicate key entry -- if the alist is designed properly -- could be used as a
constant time replace function. However, duplicate key entries could be inserted by mistake.
Because of this ambiguity, duplicate key entries in an association list are not recommended and
should not be allowed. In Python: alist = [] while (foo()): #now assume there is a string data with a key
basename queue.append(basename,data) queue.sort() Since basename is not necessarily unique, this
may not sort how one would like it to be. | | Relationships | | | Source Taxonomies | CLASP - Duplicate key in associative list (alist) | | Applicable Platforms | C C++ Java .NET |
Weakness ID
| Status: Draft 575 (Weakness Variant) | | Description | Summary The program violates the Enterprise JavaBeans (EJB) specification by using AWT/Swing. | | Context Notes | The Enterprise JavaBeans specification requires that every bean provider follow a set
of programming guidelines designed to ensure that the bean will be portable and behave
consistently in any EJB container. In this case, the program violates the following EJB guideline:
"An enterprise bean must not use the AWT functionality to attempt to output information to a
display, or to input information from a keyboard." A requirement that the specification justifies
in the following way: "Most servers do not allow direct interaction between an application program
and a keyboard/display attached to the server system." | | Relationships | | | Applicable Platforms | Java |
Weakness ID
| Status: Draft 578 (Weakness Variant) | | Description | Summary The program violates the Enterprise JavaBeans (EJB) specification by using the class loader. | | Context Notes | The Enterprise JavaBeans specification requires that every bean provider follow a set
of programming guidelines designed to ensure that the bean will be portable and behave
consistently in any EJB container. In this case, the program violates the following EJB guideline:
"The enterprise bean must not attempt to create a class loader; obtain the current class loader;
set the context class loader; set security manager; create a new security manager; stop the JVM;
or change the input, output, and error streams." A requirement that the specification justifies in
the following way: "These functions are reserved for the EJB container. Allowing the enterprise
bean to use these functions could compromise security and decrease the container's ability to
properly manage the runtime environment." | | Relationships | | | Applicable Platforms | Java |
Weakness ID
| Status: Draft 576 (Weakness Variant) | | Description | Summary The program violates the Enterprise JavaBeans (EJB) specification by using the java.io package. | | Context Notes | The Enterprise JavaBeans specification requires that every bean provider follow a set
of programming guidelines designed to ensure that the bean will be portable and behave
consistently in any EJB container. In this case, the program violates the following EJB guideline:
"An enterprise bean must not use the java.io package to attempt to access files and directories in
the file system." The specification justifies this requirement in the following way: "The file
system APIs are not well-suited for business components to access data. Business components should
use a resource manager API, such as JDBC, to store data." | | Relationships | | | Applicable Platforms | Java |
Weakness ID
| Status: Draft 577 (Weakness Variant) | | Description | Summary The program violates the Enterprise JavaBeans (EJB) specification by using sockets. | | Context Notes | The Enterprise JavaBeans specification requires that every bean provider follow a set
of programming guidelines designed to ensure that the bean will be portable and behave
consistently in any EJB container. In this case, the program violates the following EJB guideline:
"An enterprise bean must not attempt to listen on a socket, accept connections on a socket, or use
a socket for multicast." A requirement that the specification justifies in the following way: "The
EJB architecture allows an enterprise bean instance to be a network socket client, but it does not
allow it to be a network server. Allowing the instance to become a network server would conflict
with the basic function of the enterprise bean-- to serve the EJB clients." | | Relationships | | | Applicable Platforms | Java |
Weakness ID
| Status: Draft 574 (Weakness Variant) | | Description | Summary The program violates the Enterprise JavaBeans (EJB) specification by using thread
synchronization primitives. | | Context Notes | The Enterprise JavaBeans specification requires that every bean provider follow a set
of programming guidelines designed to ensure that the bean will be portable and behave
consistently in any EJB container. In this case, the program violates the following EJB guideline:
"An enterprise bean must not use thread synchronization primitives to synchronize execution of
multiple instances." A requirement that the specification justifies in the following way: "This
rule is required to ensure consistent runtime semantics because while some EJB containers may use
a single JVM to execute all enterprise bean's instances, others may distribute the instances
across multiple JVMs." | | Relationships | | | Applicable Platforms | Java |
Weakness ID
| Status: Draft 585 (Weakness Variant) | | Description | Summary The software contains an empty synchronized block. | Demonstrative
Examples | | | Context Notes | Synchronization in Java can be tricky. An empty synchronized block is often a sign that
a programmer is wrestling with synchronization but has not yet achieved the result they intend. | | Relationships | | | Applicable Platforms | Java |
Weakness ID
| Status: Draft 586 (Weakness Variant) | | Description | Summary The software makes an explicit call to the finalize() method from outside the finalizer. | Demonstrative
Examples | The following code fragment calls finalize() explicitly: // time to clean up
widget.finalize(); | | Context Notes | While the Java Language Specification allows an object's finalize() method to be called
from outside the finalizer, doing so is usually a bad idea. For example, calling finalize()
explicitly means that finalize() will be called more than once: the first time will be the
explicit call and the last time will be the call that is made after the object is garbage
collected. | | Relationships | | | Applicable Platforms | Java |
Weakness ID
| Status: Draft 478 (Weakness Variant) | | Description | Summary The failure to account for the default case in switch statements may lead to complex
logical errors and may aid in other, unexpected security-related conditions. | | Common Consequences | Undefined: Depending on the logical circumstances involved, any consequences
may result: e.g., issues of confidentiality, authentication, authorization, availability,
integrity, accountability, or non-repudiation. | | Potential Mitigations | Implementation: Ensure that there are no unaccounted for cases, when adjusting flow or
values based on the value of a given variable. In switch statements, this can be accomplished
through the use of the default label. | Demonstrative
Examples | In general, a safe switch statement has this form: switch (value) {
case 'A':
printf("A!\n");
break;
case 'B':
printf("B!\n");
break;
default:
printf("Neither A nor B\n");
} This is because the assumption cannot be made that all possible cases are accounted
for. A good practice is to reserve the default case for error handling. | | Context Notes | This flaw represents a common problem in software development, in which not all
possible values for a variable are considered or handled by a given process. Because of this,
further decisions are made based on poor information, and cascading failure results. This
cascading failure may result in any number of security issues, and constitutes a significant
failure in the system. In the case of switch style statements, the very simple act of creating a
default case can mitigate this situation, if done correctly. Often however, the default cause is
used simply to represent an assumed option, as opposed to working as a sanity check. This is poor
practice and in some cases is as bad as omitting a default case entirely. | | Relationships | | | Source Taxonomies | CLASP - Failure to account for default case in switch | | Applicable Platforms | C C++ Java .NET |
Weakness ID
| Status: Incomplete 583 (Weakness Variant) | | Description | Summary The program violates secure coding principles for mobile code by declaring a finalize()
method public. | | Potential Mitigations | If you are using finalize() as it was designed, there is no reason to declare
finalize() with anything other than protected access. | Demonstrative
Examples | The following Java Applet code mistakenly declares a public finalize() method. public final class urlTool extends Applet {
public void finalize() {
...
}
...
} Mobile code, in this case a Java Applet, is code that is transmitted across a
network and executed on a remote machine. Because mobile code developers have little if
any control of the environment in which their code will execute, special security concerns
become relevant. One of the biggest environmental threats results from the risk that the
mobile code will run side-by-side with other, potentially malicious, mobile code. Because
all of the popular web browsers execute code from multiple sources together in the same
JVM, many of the security guidelines for mobile code are focused on preventing
manipulation of your objects' state and behavior by adversaries who have access to the
same virtual machine where your program is running. | | Context Notes | A program should never call finalize explicitly, except to call super.finalize() inside
an implementation of finalize(). In mobile code situations, the otherwise error prone practice of
manual garbage collection can become a security threat if an attacker can maliciously invoke one
of your finalize() methods because it is declared with public access. | | Relationships | | | Applicable Platforms | Java |
Weakness ID
| Status: Draft 568 (Weakness Variant) | | Description | Summary The software contains a finalize() method that does not call super.finalize(). | Demonstrative
Examples | The following method omits the call to super.finalize(). Java Example: protected void finalize() {
discardNative();
} | | Context Notes | The Java Language Specification states that it is a good practice for a finalize()
method to call super.finalize() | | Relationships | | | Applicable Platforms | Java |
Weakness ID
| Status: Draft 460 (Weakness Variant) | | Description | Summary The product does not sufficiently
clean up its state when an exception is thrown, leading to
unexpected state or control flow. | | Likelihood of Exploit | Medium | | Common Consequences | Implementation: The code could be left in a bad state. | | Potential Mitigations | Implementation: If one breaks from a loop or function by throwing an exception, make
sure that cleanup happens or that you should exit the program. Use throwing exceptions
sparsely. | Demonstrative
Examples | C++/Java Example: public class foo {
public static final void main( String args[] ) {
boolean returnValue;
returnValue=doStuff();
}
public static final boolean doStuff( ) {
boolean threadLock;
boolean truthvalue=true;
try {
while(
//check some condition
) {
threadLock=true; //do some stuff to truthvalue
threadLock=false;
}
}
catch (Exception e){
System.err.println("You did something bad");
if (something) return truthvalue;
}
return truthvalue;
}
} In this case, you may leave a thread locked accidentally. | | Context Notes | Often, when functions or loops become complicated, some level of cleanup in the
beginning to the end is needed. Often, since exceptions can disturb the flow of the code, one can
leave a code block in a bad state. | | Relationships | | | Source Taxonomies | CLASP - Improper cleanup on thrown exception | | Applicable Platforms | C C++ Java .NET |
Weakness ID
| Status: Incomplete 194 (Weakness Base) | | Description | Summary If one extends a signed number incorrectly, if negative numbers are used, an incorrect
extension may result. | | Likelihood of Exploit | High | | Common Consequences | Integrity: If one attempts to sign extend a negative variable with an unsigned
extension algorithm, it will produce an incorrect result. Authorization: Sign extension errors -- if they are used to collect
information from smaller signed sources -- can often create buffer overflows and other memory
based problems. | | Potential Mitigations | Implementation: Use a sign extension library or standard function to extend signed
numbers. Implementation: When extending signed numbers fill in the new bits with 0 if the sign
bit is 0 or fill the new bits with 1 if the sign bit is 1. | Demonstrative
Examples | C Example: struct fakeint { short f0; short zeros; };
struct fakeint strange;
struct fakeint strange2;
strange.f0=-240;
strange2.f0=240;
strange2.zeros=0;
strange.zeros=0;
printf("%d %d\n",strange.f0,strange);
printf("%d %d\n",strange2.f0,strange2); | | Context Notes | Sign extension errors -- if they are used to collect information from smaller signed
sources -- can often create buffer overflows and other memory based problems. | | Relationships | | | Source Taxonomies | CLASP - Sign extension error | | Applicable Platforms | C C++ Java .NET | | Time of Introduction | Implementation |
Weakness ID
| Status: Draft 498 (Weakness Variant) | | Description | Summary The code contains a class with sensitive data, but the class is cloneable. The data can then be accessed by cloning the class. Extended Description Cloneable classes are effectively open classes, since data cannot be hidden in them.
| | Likelihood of Exploit | Medium | | Common Consequences | Confidentiality: A class which can be cloned can be produced without executing
the constructor. | | Potential Mitigations | Implementation: Make classes uncloneable by defining a clone function like: public
final void clone() throws java.lang.CloneNotSupportedException { throw new
java.lang.CloneNotSupportedException(); } Implementation: If you do make your classes clonable, ensure that your clone method is
final and throw super.clone(). | Demonstrative
Examples | Java Example: public class CloneClient {
public CloneClient() //throws
java.lang.CloneNotSupportedException {
Teacher t1 = new Teacher("guddu","22,nagar road");
//...
// Do some stuff to remove the teacher.
Teacher t2 = (Teacher)t1.clone();
System.out.println(t2.name);
}
public static void main(String args[]) {
new CloneClient();
}
}
class Teacher implements Cloneable {
public Object clone() {
try {
return super.clone();
}
catch (java.lang.CloneNotSupportedException e) {
throw new RuntimeException(e.toString());
}
}
public String name;
public String clas;
public Teacher(String name,String clas) {
this.name = name; this.clas = clas;
}
} | | Context Notes | Classes which do no explicitly deny cloning can be cloned by any other class without
running the constructor. This is, of course, dangerous since numerous checks and security aspects
of an object are often taken care of in the constructor. | | Relationships | | | Source Taxonomies | CLASP - Information leak through class cloning | | Applicable Platforms | C++ Java .NET |
Weakness ID
| Status: Incomplete 537 (Weakness Variant) | | Description | Summary In many cases, an attacker can leverage the conditions that cause unhandled
exception errors in order to gain unauthorized access to the system. | | Relationships | | | Source Taxonomies | Anonymous Tool Vendor (under NDA) - | | Applicable Platforms | Java |
|
- Weakness
- Base
- Variant
- Class
- Chain
- Composite
- Category
- View
- Deprecated