SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 46

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 47

changes.mady.by.user Fred Long

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Changed to Applicability, moved a reference to Related Guidelines, and updated the reference to Java 7

...

Note that manual clearing of the buffer data is mandatory because direct buffers are exempt from garbage collection.

Exceptions

Applicability

Failure to limit the lifetime of sensitive data can lead to information leaks.

AnchorEX0EX0 MSC63-EX0: This rule may be violated when both of the following are true:
1. It can be proved that the code is free from other errors that can expose the sensitive data, and
2. Attackers lack physical access to the target machine.

...

Failure to limit the lifetime of sensitive data can lead to information leaks.

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

MSC63-JG

medium

likely

medium

P12

L1

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Bibliography

...

Related Guidelines

MITRE 2009CWE ID 524 "Information Exposure through Caching

...

"
 CWE ID 528 "Exposure of Core Dump File to an Unauthorized Control Sphere

...

"
 CWE ID 215 "Information Exposure through Debug Information

...

"
 CWE ID 534 "Information Exposure through Debug Log Files

...

"
 CWE ID 526 "Information Exposure through Environmental Variables

...

"

...

 CWE ID 226 "Sensitive Information Uncleared before Release"

 

Bibliography

[API 2011] Class ByteBuffer
[Sun 2006Oracle 2012] Reading ASCII Passwords From an InputStream Example (Java Cryptography Architecture (JCA) Reference Guide)
[Tutorials 2008] I/O from the Command Line

...

Image Modified