Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Parasoft Jtest 2022.2

...

This guideline is a specific instance of 15 OBJ57-J. Do not rely on methods that can be overridden by untrusted code.

Noncompliant Code Example

This noncompliant code example defines a validateValue() method that validates a time value:

...

Code Block
bgColor#ccccff
private void storeDateInDB(java.util.Date date) throws SQLException {
  final java.util.Date copy = new java.util.Date(date.getTime());
  if (validateValue(copy.getTime())) {
    Connection con = DriverManager.getConnection("jdbc:microsoft:sqlserver://<HOST>:1433","<UID>","<PWD>");
    PreparedStatement pstmt = con.prepareStatement("UPDATE ACCESSDB SET TIME = ?");
    pstmt.setLong(1, copy.getTime());
    // ...
  }
}	

Noncompliant Code Example (CVE-2012-0507)

This noncompliant code example shows a constructor of the Java core class AtomicReferenceArray present in the Java 1.7.0 update 2:

Code Block
bgColor#ffcccc
langjava
public AtomicReferenceArray(E[] array) {
    // Visibility guaranteed by final field guarantees
    this.array = array.clone();
}

This code class was subsequently invoked used by the Flashback exploit that infected 550,000 Macintosh computers in April 2012.1

Compliant Solution (CVE-2012-0507)

In Java 1.7.0 update 3, the constructor was modified to use the Arrays.copyOf() method instead of the clone() method, as follows:

Code Block
bgColor#ccccff
langjava
public AtomicReferenceArray(E[] array) {
    // Visibility guaranteed by final field guarantees
    this.array = Arrays.copyOf(array, array.length, Object[].class);
}

Applicability

Using the clone() method to copy untrusted arguments affords attackers the opportunity to execute arbitrary code.

Automated Detection

ToolVersionCheckerDescription
Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
CERT.MET52.CIFCOnly "clone()" instances of "final" classes

Bibliography

1 "Exploiting Java Vulnerability CVE-2012-0507 Using Metasploit" is shared by user BreakTheSec on Slideshare.net (July 14, 2012). www.slideshare.net/BreakTheSec/exploiting-java-vulnerability. 


...

Image Modified Image Modified Image Modified