The default SecurityManager checks whether the caller of a particular method has sufficient permissions to proceed with an action. An action is a level of access; for instance, the actions for java.io.FilePermission are "read," "write," "execute," and "delete" [Sun 2006API 2011] Class FilePermission. The "Permission Descriptions and Risks" guide [Permissions 2008] enumerates the default permissions and the risks associated with granting these permissions to Java code.
...
| Code Block |
|---|
grant codeBase "file:c:\\package" { // For *nix, file:${user.home}/package/
permission ExceptionReporterPermission "exc.reporter";
permission java.lang.RuntimePermission "loadLibrary.awt";
};
|
...
Applicability
Running Java code without defining custom permissions where default permissions are inapplicable can leave an application open to privilege escalation vulnerabilities.
...
Guideline
...
Severity
...
...
Remediation Cost
...
Priority
...
Level
...
SEC56-JG
...
medium
...
probable
...
high
...
P4
...
L3
Automated Detection
Automated detection is not feasible.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Related Guidelines
MITRE CWE: CWE-732, "Incorrect Permission Assignment for Critical Resource"
Bibliography
[API 20062011] Class SecurityManager
[Oaks 2001] Chapter 5: The Access Controller, "Permissions"
[Policy 2002]
[Sun 2006] Permission Descriptions and RisksOracle 2012] Permissions in Java SE 7 Development Kit (JDK)
...