SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 80

changes.mady.by.user Will Snavely

Saved on

compared with

New Version Current

changes.mady.by.user Jon O'Donnell

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Memory and resource leaks during serialization can result in a resource exhaustion attack or can crash the Java Virtual Machine.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

SER10-J

Low

Unlikely

Low

P3

L3

Automated Detection

Detecting code that should be considered privileged or sensitive requires programmer assistance. Given identified privileged code as a starting point, automated tools could compute the closure of all code that can be invoked from that point. Such a tool could plausibly determine whether all code in that closure exists within a single package. A further check of whether the package is sealed is feasible.

ToolVersionCheckerDescription
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

JAVA.ALLOC.LEAK.NOTSTORED
JAVA.CLASS.UI

Closeable Not Stored (Java)
Inefficient Instantiation (Java)

Related Guidelines

MITRE CWE

CWE-400, Uncontrolled Resource Consumption (aka "Resource Exhaustion")
CWE-770, Allocation of Resources without Limits or Throttling

Bibliography

[API 2014]

 


[Harold 2006]

Section 13.4, "Performance"

[Sun 2006]

Serialization Specification

...


...