...
Oracle mitigated this vulnerability in Java 1.7.0p11 by adding an access check to the loadClass() method. This access check ensures that the caller is permitted to access the class being sought.:
| Code Block | ||||
|---|---|---|---|---|
| ||||
// ...
if (className == null) {
throw new RuntimeOperationsException(new
IllegalArgumentException("The class name cannot be null"),
"Exception occurred during object instantiation");
}
ReflectUtil.checkPackageAccess(className);
try {
if (loader == null)
// ...
|
...
| Code Block |
|---|
public static Class forName(String name, boolean initialize, ClassLoader loader) /* explicitly specify the class loader to use */ throws ClassNotFoundException |
Related Guidelines
...
Bibliography
| [API 2011] | Class ClassLoader |
| [Chan 1999] | java.lang.reflect AccessibleObject |
| [Guillardoy 2012] | Java 0-day Analysis (CVE-2012-4681) |
| [Manion 2013] | Anatomy of Java Exploits |
| [Oracle 2013] | Oracle Security Alert for CVE-2013-0422 |
...