...
Java's object cloning mechanism allows an attacker to manufacture new instances of a class by copying the memory images of existing objects rather than by executing the class's constructor. Often this is an unacceptable way of creating new objects. An attacker can misuse the clone feature to manufacture multiple instances of a singleton class, create thread-safety issues by subclassing and cloning the subclass, bypass security checks within the constructor, and violate the invariants of critical data.
Classes that have security checks in their constructors must beware of finalization attacks, as explained in rule OBJ11-J. Be wary of letting constructors throw exceptions.
...
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
OBJ07-J | medium | probable | medium | P8 | L2 |
Bibliography
Twelve rules for developing more secure Java code | |
CWE-498. Cloneable class containing sensitive information; CWE-491. Public | |
10.6, Java |
...