Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Memory and resource leaks during serialization can result in a resource exhaustion attack or can crash the Java Virtual Machine.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

SER10-J

Low

Unlikely

Low

P3

L3

Automated Detection

Detecting code that should be considered privileged or sensitive requires programmer assistance. Given identified privileged code as a starting point, automated tools could compute the closure of all code that can be invoked from that point. Such a tool could plausibly determine whether all code in that closure exists within a single package. A further check of whether the package is sealed is feasible.

ToolVersionCheckerDescription
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

JAVA.ALLOC.LEAK.NOTSTORED
JAVA.CLASS.UI

Closeable Not Stored (Java)
Inefficient Instantiation (Java)

Related Guidelines

MITRE CWE

CWE-400, Uncontrolled Resource Consumption (aka "Resource Exhaustion")
CWE-770, Allocation of Resources without Limits or Throttling

Bibliography

[API 2014]

 


[Harold 2006]

Section 13.4, "Performance"

[Sun 2006]

Serialization Specification

...


...

Image Modified Image Modified Image Modified