Java's Object cloning mechanism can allow an attacker to manufacture new instances of classes that have been defined, without executing its constructor. If a class is not cloneable, the attacker can define a subclass, and make the subclass implement the java.lang.Cloneable interface. This lets an attacker create new instances of the class. The new instances of the class are made by copying the memory images of existing objects; though this is sometimes an acceptable way of making a new object, it often is not.
Compliant Code
classes should be made non cloneable to prevent this from occuring. The following method maybe implemented for achieving this.
 public final void clone() throws java.lang.CloneNotSupportedException{ throw new java.lang.CloneNotSupportedException(); }
If, it is absolutely required to make the class cloneable, even then protective measures can be taken.
#1. If clone method is being over-riden, make it final
#2. If the class is reliant on a non-final clone method of one of the superclasses, then define the following