...
It is vital to re-compile both Ssn and SsnVerify classes so that the bytecode verifier can be applied to detect the non-conforming code.
Alternatively, to force bytecode verification when the unmodified class is loaded, the -verify flag can be specified on the java command line.
The verification process is automatically initiated unless the -noverify flag is specified at command line. On Java 2 systems, classes loaded by the primordial class loader (that loads classes from the boot class path) are not required to perform bytecode verification.
Risk Assessment
TODOIf the bytecode verifier is not applied to all code then code could be loaded into a java system that does not conform to the Java Language Specification. This code could bypass checks that are normally expected to be performed by Java code, thereby compromising security.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
SEC36-J | ?? medium ?? | probable | ?? high | P?? | L?? |
Automated Detection
...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
| Wiki Markup |
|---|
\[[Oaks 01|AA. Java References#Oaks 01]\] The Bytecode Verifier
\[[EJS 04|AA. Java References#EJS 04]\] 7.3 The Class File |
Enterprise Security: Building Secure J2EE Applications, 7.3 The Class File
Verifier |