SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 53

changes.mady.by.user Dhruv Mohindra

Saved on

compared with

New Version 54

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: added Flashback exploit analysis NCCE/CS

...

Code Block
bgColor#ccccff
private void storeDateInDB(java.util.Date date) throws SQLException {
  final java.util.Date copy = new java.util.Date(date.getTime());
  if (validateValue(copy.getTime())) {
    Connection con = DriverManager.getConnection("jdbc:microsoft:sqlserver://<HOST>:1433","<UID>","<PWD>");
    PreparedStatement pstmt = con.prepareStatement("UPDATE ACCESSDB SET TIME = ?");
    pstmt.setLong(1, copy.getTime());
    // ...
  }
}

Noncompliant Code Example (CVE-2012-0507)

This noncompliant code example shows a constructor of the class AtomicReferenceArray as of Java 1.7.0 update 2:

Code Block
bgColor#ffcccc
langjava
public AtomicReferenceArray(E[] array) {
    // Visibility guaranteed by final field guarantees
    this.array = array.clone();
}

This code was subsequently invoked by an exploit called Flashback that managed to infect 500,000 Macintosh machines in April 2012.

Compliant Solution (CVE-2012-0507)

In Java 1.7.0 update 2, this code was modified as follows:

Code Block
bgColor#ccccff
langjava
public AtomicReferenceArray(E[] array) {
    // Visibility guaranteed by final field guarantees
    this.array = Arrays.copyOf(array, array.length, Object[].class);
}

Applicability

Using the clone() method to copy untrusted arguments affords attackers the opportunity to execute arbitrary code.

...

[Sterbenz 2006]Secure Coding Antipatterns: Avoiding Vulnerabilities
 

Analysis of Java Flashback Exploit

 

...