Java Reference
In-Depth Information
private void storeDateInDB(java.util.Date date)
throws SQLException {
final java.util.Date copy = new
java.util.Date(date.getTime());
if (validateValue(copy.getTime())) {
Connection con =
DriverManager.getConnection(
"jdbc:microsoft:sqlserver://<HOST>:1433",
"<UID>", "<PWD>"
);
PreparedStatement pstmt =
con.prepareStatement("UPDATE ACCESSDB SET TIME = ?");
pstmt.setLong(1, copy.getTime());
// ...
}
}
Noncompliant Code Example (CVE-2012-0507)
This noncompliant code example shows a constructor of the Java core class
AtomicRe-
ferenceArray
present in the Java 1.7.0 update 2:
public AtomicReferenceArray(E[] array) {
// Visibility guaranteed by final field guarantees
this.array = array.clone();
}
This code was subsequently invoked by the Flashback exploit that infected 600,000
Macintosh computers in April 2012.
1
1.
“Exploiting Java Vulnerability CVE-2012-0507 Using Metasploit” is shared by user BreakTheSec
on Slideshare.net (July 14, 2012); see
www.slideshare.net/BreakTheSec/exploiting-java-vulnerabil-
Compliant Solution (CVE-2012-0507)
InJava1.7.0update3,theconstructor wasmodified tousethe
Arrays.copyOf()
method
instead of the
clone()
method as follows: