SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 6

changes.mady.by.user Dhruv Mohindra

Saved on

compared with

New Version 7

changes.mady.by.user Fred Long

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The JVMTI works by using agents that communicate with the running JVM. These agents are usually loaded at JVM startup via one of the command line options -agentlib: or -agentpath:. However, some JVMs allow agents to be started when the JVM is actually running. Also, platforms that support environment variables allow agents to be specified in such variables, although this feature can be disabled where security is a concern. The JVMTI is always enabled, and JVMTI agents may run under the default security manager without requiring any permissions to be granted.

Risk Assessment

Failing to appreciate that a Java application can be monitored and modified via the JVM Tool Interface may lead to an application being deployed that is vulnerable to attack via this route.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

MSC02 ENV01-J

low

unlikely

medium

P2

L3

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[JVMTI 06|AA. Java References#JVMTI 06]\]
\[[Long 05|AA. Java References#Long 05]\] Section 2.6, The JVM Tool Interface

...