SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 50

changes.mady.by.user Dean Sutherland

Saved on

compared with

New Version 51

changes.mady.by.user Dean Sutherland

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Unrestricted deserializing from a privileged context allows an attacker to supply crafted input which, upon deserialization, can yield objects that the attacker does not have permissions to construct. One example of this is the construction of a sensitive object, such as a custom class loader. (See guidelines SEC12-J. Do not grant untrusted code access to classes in inaccessible packages and SEC13-J. Do not allow unauthorized construction of classes in inaccessible packages.)

Noncompliant Code Example

In August 2008 a vulnerability in the JDK was discovered by Sami Koivu. Julien Tinnes wrote an exploit that allowed arbitrary code execution on multiple platforms that ran vulnerable versions of Java. The problem resulted from deserializing untrusted input from within a privileged context. The vulnerability involves the ZoneInfo object (sun.util.Calendar.Zoneinfo), which being a serializable class, is by design deserialized by the readObject() method of the ObjectInputStream class.

...

Code Block
bgColor#FFcccc
try {
  ZoneInfo zi = (ZoneInfo) AccessController.doPrivileged(
    new PrivilegedExceptionAction() {
      public Object run() throws Exception {
        return input.readObject();
      }
  });
  if (zi != null) {
    zone = zi;
  }
} catch (Exception e) {
}

Compliant Solution

This vulnerability was fixed in JDK v1.6 u11 by defining a new AccessControlContext INSTANCE, with a new ProtectionDomain. The ProtectionDomain encapsulated a RuntimePermission called accessClassInPackage.sun.util.calendar. Consequently, the code was granted the minimal set of permissions required to access the sun.util.calendar class. This whitelisting approach guaranteed that a security exception would be thrown in all other cases of invalid access. Refer to guideline SEC12-J. Do not grant untrusted code access to classes in inaccessible packages for more details on allowing or disallowing access to packages.

...

The two-argument form of doPrivileged() allows stripping all permissions other than the ones specified in the ProtectionDomain. Refer to guideline SEC00-J. Avoid granting excess privileges for more details on using the two-argument doPrivileged() method.

Risk Assessment

Deserializing objects from a privileged context can result in arbitrary code execution.

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

SER09-J

high

likely

medium

P18

L1

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

Bibliography

Wiki Markup
\[[API 2006|AA. Bibliography#API 06]\] 
TODO

...