Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Failure to make sensitive classes noncopyable can permit violations of class invariants and provide malicious subclasses with the opportunity to exploit the code to create new instances of objects, even in the presence of the default security manager (in the absence of custom security checks).

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

OBJ07-J

Medium

Probable

Medium

P8

L2

Automated Detection

ToolVersionCheckerDescription
Parasoft Jtest9.5SECURITY.WSC.MCNCImplemented
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

JAVA.CLASS.CLONE.CNC
JAVA.CLASS.CLONE.SCNC
JAVA.CLASS.CLONE.NF

clone Non-cloneable (Java)
clone Subclass of Non-clonable (Java)
clone not final (Java)

Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
CERT.OBJ07.MCNCMake your classes noncloneable

Related Guidelines

MITRE

2009

CWE

CWE-498, Cloneable Class Containing Sensitive Information
CWE-491, Public cloneable() Method without Final (aka "Object Hijack")

Bibliography

[McGraw 1998]

"Twelve Rules for Developing More Secure Java Code"

[Wheeler 2003]

Section 10.6, "Java"

...


...