SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 121

changes.mady.by.user Shannon Haas

Saved on

compared with

New Version 122

changes.mady.by.user Shannon Haas

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

IDS07-J

high

probable

medium

P12

L1

Related Vulnerabilities

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a3a8fe03-0682-45f2-984b-9806ca3692b1"><ac:plain-text-body><! [CDATA[ [CVE-2010-0886]

[Sun Java Web Start Plugin Command Line Argument Injection

http://www.securitytube.net/video/1465]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b1406b02-a79e-47a9-a84c-54b84fff3735"><ac:plain-text-body><![CDATA[

[CVE-2010-1826]

[Command injection in updateSharingD's handling of Mach RPC messages

http://securitytracker.com/id/1024617]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c8838032-1a01-47e3-b380-0b468490e589"><ac:plain-text-body><![CDATA[

[T-472]

[Mac OS X Java Command Injection Flaw in updateSharingD lets local users gain elevated privileges

http://www.doecirc.energy.gov/bulletins/t-472.shtml]

]]></ac:plain-text-body></ac:structured-macro>

Related Guidelines

The CERT C Secure Coding Standard

ENV03-C. Sanitize the environment when invoking external programs

 

ENV04-C. Do not call system() if you do not need a command processor

The CERT C++ Secure Coding Standard

ENV03-CPP. Sanitize the environment when invoking external programs

 

ENV04-CPP. Do not call system() if you do not need a command processor

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="2dee0e46-a050-4c76-93fc-dc501f582f29"><ac:plain-text-body><![CDATA[

[ISO/IEC TR 24772:2010http://www.aitcnet.org/isai/]

Injection [RST]

]]></ac:plain-text-body></ac:structured-macro>

MITRE CWE

CWE-78. Improper neutralization of special elements used in an OS command ("OS command injection")

Bibliography

...

[[Chess 2007AA. References#Chess 07] ]

Chapter 5, Handling Input, "Command Injection"]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="8754f43c-f988-45ee-b8aa-306c8ebd6e6b"><ac:plain-text-body><![CDATA[

[[OWASP 2005AA. References#OWASP 05] ]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f3e2dd10-d7ac-4224-8df6-11aae12fdfca"><ac:plain-text-body><![CDATA[

[[Permissions 2008

AA. References#Permissions 08]]

] ]></ac:plain-text-body></ac:structured-macro>

...

IDS06-J. Exclude user input from format strings            IDS08-J. Sanitize untrusted data passed to a regex