...
The
...
Java
...
classes
...
used
...
by
...
a
...
program
...
are
...
not
...
necessarily
...
loaded
...
upon
...
program
...
startup.
...
Many
...
JVMs
...
load
...
classes
...
only
...
when
...
they
...
need
...
them.
...
If
...
untrusted
...
code
...
is
...
permitted
...
to
...
load
...
classes,
...
it
...
may
...
possess
...
the
...
ability
...
to
...
load
...
sensitive
...
classes
...
required
...
by
...
trusted
...
code.
...
If
...
the
...
trusted
...
code
...
has
...
not
...
already
...
loaded
...
these
...
classes,
...
attempts
...
to
...
subsequently
...
do
...
so
...
may
...
result
...
in
...
untrusted
...
classes
...
being
...
substituted
...
for
...
the
...
sensitive
...
classes.
...
As
...
a
...
result,
...
if
...
a
...
program
...
permits
...
untrusted
...
code
...
to
...
load
...
classes,
...
it
...
must
...
first
...
preload
...
any
...
sensitive
...
classes
...
it
...
needs.
...
Once
...
properly
...
loaded,
...
these
...
sensitive
...
classes
...
cannot be replaced by untrusted code.
Noncompliant Code Example (Tomcat)
This noncompliant code example shows a vulnerability present in several versions of the Tomcat HTTP web server (fixed in version 6.0.20),
...
that
...
allows
...
untrusted
...
web
...
applications
...
to
...
override
...
the
...
default
...
XML
...
parser
...
used
...
by
...
the
...
system
...
to
...
process
...
web.xml,
...
context.xml
...
and tag library descriptor (TLD) files of other web applications deployed on the Tomcat instance. Consequently, untrusted web applications that install a parser could view and/or alter these files under certain circumstances.
| Wiki Markup |
|---|
The noncompliant code example shows the code associated with |
...
initialization of a new {{Digester}} instance in the {{org.apache.catalina.startup.ContextConfig}} class. "A {{Digester}} processes an XML input stream by matching a series of element nesting patterns to execute Rules that have been added prior to the start of parsing" \[[Tomcat 2009|AA. Bibliography#Tomcat 09]\]. The code to initialize the {{Digester}} follows: |
| Code Block | ||||
|---|---|---|---|---|
| =
| |||
} protected static Digester webDigester = null; if (webDigester == null) { webDigester = createWebDigester(); } {code} The {{ |
The createWebDigester()
...
method
...
is
...
responsible
...
for
...
creating
...
the
...
Digester
...
.
...
This
...
method
...
calls
...
createWebXMLDigester()
...
,
...
which
...
invokes
...
the
...
method
...
DigesterFactory.newDigester()
...
.
...
Thie
...
method
...
creates
...
the
...
new
...
digester
...
instance
...
and
...
sets
...
a
...
boolean
...
flag
...
useContextClassLoader
...
to
...
true
...
.
| Code Block | ||||
|---|---|---|---|---|
| =
| |||
}
// This method exists in the class DigesterFactory and is called by ContextConfig.createWebXmlDigester()
// which is in turn called by ContextConfig.createWebDigester()
// webDigester finally contains the value of digester defined in this method
public static Digester newDigester(boolean xmlValidation, boolean xmlNamespaceAware, RuleSet rule) {
Digester digester = new Digester();
// ...
digester.setUseContextClassLoader(true);
// ...
return digester;
}
|
The useContextClassLoader flag is used by Digester to decide which ClassLoader to use when loading new classes. When true, it uses the WebappClassLoader, which is untrusted, because it loads whatever classes are requested by various web applications.
| Code Block | ||
|---|---|---|
| ||
{code} The {{useContextClassLoader}} flag is used by {{Digester}} to decide which {{ClassLoader}} to use when loading new classes. When true, it uses the {{WebappClassLoader}}, which is untrusted, because it loads whatever classes are requested by various web applications. {code:bgColor=#FFCCCC} public ClassLoader getClassLoader() { // ... if (this.useContextClassLoader) { // Uses the context class loader which was previously set to the WebappClassLoader ClassLoader classLoader = Thread.currentThread().getContextClassLoader(); } return classloader; } {code} Later, the {{ |
The Digester.getParser()
...
method
...
is
...
subsequently called
...
by
...
Tomcat
...
to
...
process
...
web.xml
...
and
...
other
...
files:
| Code Block | ||||
|---|---|---|---|---|
| =
| |||
} // Digester.getParser() calls this method. It is defined in class Digester public SAXParserFactory getFactory() { if (factory == null) { factory = SAXParserFactory.newInstance(); // Uses WebappClassLoader // ... } return (factory); } {code} |
The
...
underlying
...
problem
...
is
...
that
...
the
...
newInstance()
...
method
...
is
...
being
...
invoked
...
on
...
behalf
...
of
...
a
...
web
...
application's
...
class
...
loader,
...
the
...
WebappClassLoader
...
,
...
and
...
it
...
loads
...
classes
...
before
...
Tomcat
...
has
...
loaded
...
all
...
the
...
classes
...
it
...
needs.
...
If
...
a
...
web
...
application
...
has
...
loaded
...
its
...
own
...
javax.xml.parsers.SAXParserFactory
...
,
...
then
...
when
...
Tomcat
...
tries
...
to
...
access
...
a
...
SAXParserFactory
...
,
...
it
...
will
...
access
...
the
...
incorrect
...
SaxParserFactory
...
used
...
by
...
the
...
web
...
app,
...
rather
...
than
...
the
...
standard
...
Java
...
SAXParserFactory
...
that
...
it
...
depends
...
on.
...
Compliant Solution (Tomcat)
...
In
...
this
...
compliant
...
solution,
...
Tomcat
...
initializes
...
the
...
SAXParserFactory
...
when
...
it
...
creates
...
the
...
Digester
...
.
...
This
...
guarantees
...
that
...
the
...
SAXParserFactory
...
is
...
constructed
...
using
...
the
...
container's
...
class
...
loader,
...
rather
...
than
...
the
...
WebappClassLoader
...
.
...
The
...
webDigester
...
is
...
also
...
marked
...
final.
...
This
...
prevents
...
any
...
subclasses
...
from
...
assigning
...
a
...
new
...
object
...
reference
...
to
...
webDigester
...
.
...
See
...
...
...
...
...
...
...
...
...
for
...
more
...
information.
...
It
...
also
...
prevents
...
a
...
race
...
condition
...
where
...
another
...
thread
...
could
...
access
...
webDigester
...
before
...
it
...
is
...
fully
...
initialized;
...
see
...
...
...
...
...
...
...
...
for
...
more
...
information.
| Code Block | ||||
|---|---|---|---|---|
| =
| |||
} protected static final Digester webDigester = init(); protected Digester init() { Digester digester = createWebDigester(); digester.getParser(); // Does not use the context Classloader at initialization, so safe return digester; } {code} Later, even if the Tomcat server continues to use the {{WebappClassLoader}} to create the parser instance when attempting to process the web.xml and other files, the explicit call to {{getParser()}} in {{init()}} ensures that the default parser has been set during prior initialization and is impossible to replace. Because this is a one-time setting, future attempts to change the parser are futile. Note that the {{Class.newInstance()}} method requires the class to contain a no-argument constructor. If this requirement is not satisfied, a runtime exception results, which indirectly prevents a security breach. h2. Risk Assessment Allowing untrusted code to load classes enables untrusted code to replace benign classes with malicious classes. || Rule || Severity || Likelihood || Remediation Cost || Priority || Level || | SEC04-J | high | probable | medium | {color:red}{*}P12{*}{color} | {color:red}{*}L1{*}{color} | h2. Related Guidelines | [Secure Coding Guidelines for the Java Programming Language, Version 3.0|http://www.oracle.com/technetwork/java/seccodeguide-139067.html] | Guideline 6-3 Safely invoke standard APIs that bypass SecurityManager checks depending on the immediate caller's class loader | h2. Bibliography | \[[CVE 2008|AA. Bibliography#CVE 08]\] | [CVE-2009-0783| |
Even if the Tomcat server continues to use the WebappClassLoader to create the parser instance when attempting to process the web.xml and other files, the explicit call to getParser() in init() ensures that the default parser has been set during prior initialization and is impossible to replace. Because this is a one-time setting, future attempts to change the parser are futile.
Note that the Class.newInstance() method requires the class to contain a no-argument constructor. If this requirement is not satisfied, a runtime exception results, which indirectly prevents a security breach.
Risk Assessment
Allowing untrusted code to load classes enables untrusted code to replace benign classes with malicious classes.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
SEC04-J | high | probable | medium | P12 | L1 |
Related Guidelines
Secure Coding Guidelines for the Java Programming Language, Version 3.0 | Guideline 6-3 Safely invoke standard APIs that bypass SecurityManager checks depending on the immediate caller's class loader |
Bibliography
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="ab14654d-4cff-4180-9cb7-51a6dfe17179"><ac:plain-text-body><![CDATA[ | [[CVE 2008 | AA. Bibliography#CVE 08]] | [CVE-2009-0783 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783 |
...
] | ]]></ac:plain-text-body></ac:structured-macro> | ||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="06c88137-f717-4062-a239-01761cd9618c"><ac:plain-text-body><![CDATA[ | [[Gong 2003 | AA. Bibliography#Gong 03]] | Section 4.3.2, |
...
Class |
...
Loader |
...
Delegation |
...
Hierarchy | ]]></ac:plain-text-body></ac:structured-macro> | ||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="3f7ab2cb-ba47-4d40-b796-c08bacc2fb8e"><ac:plain-text-body><![CDATA[ | [[JLS 2005 | AA. Bibliography#JLS 05]] | Section 4.3.2, |
...
"The |
...
Class |
...
| ]]></ac:plain-text-body></ac:structured-macro> | |||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="5bea4f13-1d44-446f-b5d9-ce6c5c6bbd27"><ac:plain-text-body><![CDATA[ | [[Tomcat 2009 | AA. Bibliography#Tomcat 09]] | [Bug ID 29936 | https://issues.apache.org/bugzilla/show_bug.cgi?id=29936], |
...
API |
...
Class |
...
|
...
, |
...
[Security |
...
fix |
...
in |
...
v |
...
6.0.20 |
...
http://tomcat.apache.org/security-6.html] |
...
]]></ac:plain-text-body></ac:structured-macro> |
...
...
...
...
...
...
...
...