...
This guideline is a specific instance of 15 OBJ57-J. Do not rely on methods that can be overridden by untrusted code.
Noncompliant Code Example
This noncompliant code example defines a validateValue()
method that validates a time value:
...
Code Block | ||
---|---|---|
| ||
private void storeDateInDB(java.util.Date date) throws SQLException { final java.util.Date copy = new java.util.Date(date.getTime()); if (validateValue(copy.getTime())) { Connection con = DriverManager.getConnection("jdbc:microsoft:sqlserver://<HOST>:1433","<UID>","<PWD>"); PreparedStatement pstmt = con.prepareStatement("UPDATE ACCESSDB SET TIME = ?"); pstmt.setLong(1, copy.getTime()); // ... } } |
Noncompliant Code Example (CVE-2012-0507)
This noncompliant code example shows a constructor of the Java core class AtomicReferenceArray
present in the Java 1.7.0 update 2:
Code Block | ||||
---|---|---|---|---|
| ||||
public AtomicReferenceArray(E[] array) { // Visibility guaranteed by final field guarantees this.array = array.clone(); } |
This code class was subsequently invoked used by the Flashback exploit that infected 550,000 Macintosh computers in April 2012.1
Compliant Solution (CVE-2012-0507)
In Java 1.7.0 update 3, the constructor was modified to use the Arrays.copyOf()
method instead of the clone()
method, as follows:
Code Block | ||||
---|---|---|---|---|
| ||||
public AtomicReferenceArray(E[] array) { // Visibility guaranteed by final field guarantees this.array = Arrays.copyOf(array, array.length, Object[].class); } |
Applicability
Using the clone()
method to copy untrusted arguments affords attackers the opportunity to execute arbitrary code.
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Parasoft Jtest |
| CERT.MET52.CIFC | Only "clone()" instances of "final" classes |
Bibliography
1 "Exploiting Java Vulnerability CVE-2012-0507 Using Metasploit" is shared by user BreakTheSec on Slideshare.net (July 14, 2012). www.slideshare.net/BreakTheSec/exploiting-java-vulnerability.
...