Java Reference
In-Depth Information
} catch (SecurityException exception) {
// Use current class loader instead
}
return Class.forName(name);
}
Althoughthismethod iscalled inthecontext ofanapplet, ituses
Class.forName()
to
obtain the requested class.
Class.forName()
delegates the search to the calling method's
classloader.Inthiscase,thecallingclass(
com.sun.beans.finder.ClassFinder
)ispart
of core Java, so the trusted class loader is used in place of the more restrictive applet class
loader, and the trusted class loader loads the class, unaware that it is acting on behalf of
malicious code.
Compliant Solution (CVE-2012-4681)
Oracle mitigated this vulnerability in Java 1.7.0 update 7 by patching the
com.sun.beans.finder.ClassFinder.findClass()
method. The
checkPackageAc-
cess()
method checks the entire call stack to ensure that
Class.forName()
, in this in-
stance only, fetches classes only on behalf of trusted methods.
public static Class<?> findClass(String name)
throws ClassNotFoundException {
checkPackageAccess(name);
try {
ClassLoader loader =
Thread.currentThread().getContextClassLoader();
if (loader == null) {
// Can be null in IE (see 6204697)
loader = ClassLoader.getSystemClassLoader();
}
if (loader != null) {
return Class.forName(name, false, loader);
}
} catch (ClassNotFoundException exception) {
// Use current class loader instead
} catch (SecurityException exception) {
// Use current class loader instead
}
return Class.forName(name);
}