SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 110

changes.mady.by.user Sandy Shrum

Saved on

compared with

New Version Current

changes.mady.by.user Jon O'Donnell

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Granting AllPermission to untrusted code allows it to perform privileged operations.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

ENV03-J

High

Likely

Low

P27

L1

Automated Detection

Static detection of potential uses of dangerous permissions is a trivial search. Automated determination of the correctness of such uses is not feasible.

ToolVersionCheckerDescription
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

JAVA.IO.PERM

Permissive File Mode (Java)

Related Vulnerabilities

CVE-2007-5342 describes a vulnerability in Apache Tomcat 5.5.9 through 5.5.25 and 6.0.0 through 6.0.15. The security policy used in the JULI logging component failed to restrict certain permissions for web applications. An attacker could modify the log level, directory, or prefix attributes in the org.apache.juli.FileHandler handler, permitting them to modify logging configuration options and overwrite arbitrary files.

Related Guidelines

MITRE CWE

CWE-732, Incorrect Permission Assignment for Critical Resource

Android Implementation Details

The java.security package exists on Android for compatibility purposes only, and it should not be used. Android uses another permission mechanism for security purposes.

Bibliography

[API 2014]

Class AllPermission
Class ReflectPermission
Class RuntimePermission

[Gong 2003]

 


[Long 2005]

Section 2.5, "Reflection"

[Permissions 2008]

Section "ReflectPermission"

[Reflect 2006]

[Security 2006]

Security Architecture
Section "RuntimePermission"

...


...