Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Parasoft Jtest 2022.2

Making defensive copies of mutable method parameters mitigate mitigates against a variety of security vulnerabilities; see OBJ06-J. Defensively copy mutable inputs and mutable internal components for additional information. However, inappropriate use of the clone() method can allow an attacker to exploit vulnerabilities by providing arguments that appear normal but subsequently return unexpected values. Such objects may consequently bypass validation and security checks. When such a class is might be passed as an argument to a method, treat the argument as untrusted, and do not use the clone() method provided by the class. Also, do not use the clone() method of nonfinal classes to make defensive copies.

This guideline is a specific instance of OBJ58of OBJ57-JGJ. Do not rely on methods that can be overridden methods provided by untrusted code.

Noncompliant Code Example

This noncompliant code example defines a validateValue() method that validates a time value:

...

Code Block
langjava
class MaliciousDate extends java.util.Date {
  @Override
  public MaliciousDate clone() {
    // maliciousMalicious code goes here
  }
}

If, however, the attacker can only provide a malicious date with lessened privileges, the attacker can still produce a malicious date that bypasses validation, bypass validation but still confounds confound the remainder of the program. Consider this example:

...

This malicious date will appear to be a benign date class the first time that getTime() is invoked. This allows it to bypass validation in the storeDateInDB() method. However, the time that is actaully actually stored in the database will be incorrect.

...

This compliant solution avoids using the clone() method. Instead, it creates a new java.util.Date object that is subsequently used for access control checks and for insertion into the database:

Code Block
bgColor#ccccff
private void storeDateInDB(java.util.Date date) throws SQLException {
  final java.util.Date copy = new java.util.Date(date.getTime());
  if (validateValue(copy.getTime())) {
    Connection con = DriverManager.getConnection("jdbc:microsoft:sqlserver://<HOST>:1433","<UID>","<PWD>");
    PreparedStatement pstmt = con.prepareStatement("UPDATE ACCESSDB SET TIME = ?");
    pstmt.setLong(1, copy.getTime());
    // ...
  }
}	

Noncompliant Code Example (CVE-2012-0507)

This noncompliant code example shows a constructor of the Java core class AtomicReferenceArray as of present in the Java 1.7.0 update 2:

Code Block
bgColor#ffcccc
langjava
public AtomicReferenceArray(E[] array) {
    // Visibility guaranteed by final field guarantees
    this.array = array.clone();
}

This code class was subsequently invoked used by an the Flashback exploit called Flashback that managed to infect 500that infected 550,000 Macintosh machines computers in April 2012.1

Compliant Solution (CVE-2012-0507)

In Java 1.7.0 update 3, this code the constructor was modified to use the Arrays.copyOf() method instead of the clone() method, as follows:

Code Block
bgColor#ccccff
langjava
public AtomicReferenceArray(E[] array) {
    // Visibility guaranteed by final field guarantees
    this.array = Arrays.copyOf(array, array.length, Object[].class);
}

Applicability

Using the clone() method to copy untrusted arguments affords attackers the opportunity to execute arbitrary code.

Automated Detection

ToolVersionCheckerDescription
Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
CERT.MET52.CIFCOnly "clone()" instances of "final" classes

Bibliography

 1 "Exploiting Java Vulnerability CVE-2012-0507 Using Metasploit" is shared by user BreakTheSec on Slideshare.net (July 14, 2012). www.slideshare.net/BreakTheSec/exploiting-java-vulnerability.


...

Image Modified Image Modified Image Modified