Java Reference
In-Depth Information
Noncompliant Code Example (CVE-2013-0422)
Java 1.7.0 update 10 was widely exploited in January 2013 because of several vulner-
abilities.Onesuchvulnerabilityinthe
com.sun.jmx.mbeanserver.MBeanInstantiator
class granted unprivileged code the ability toaccess anyclass regardless ofthe current se-
curitypolicyoraccessibilityrules.The
MBeanInstantiator.findClass()
methodcould
be invoked with any string and would attempt to return the
Class
object named after the
string. This method delegated its work to the
MBeanInstantiator.loadClass()
meth-
od, whose source code is shown here:
/**
* Load a class with the specified loader, or with this object
* class loader if the specified loader is null.
**/
static Class<?> loadClass(String className, ClassLoader loader)
throws ReflectionException {
Class<?> theClass;
if (className == null) {
throw new RuntimeOperationsException(
new IllegalArgumentException(
"The class name cannot be null"),
"Exception occurred during object instantiation");
} try {
if (loader == null) {
loader = MBeanInstantiator.class.getClassLoader();
}
if (loader != null) {
theClass = Class.forName(className, false, loader);
} else {
theClass = Class.forName(className);
}
} catch (ClassNotFoundException e) {
throw new ReflectionException(
e, "The MBean class could not be loaded");
}
return theClass;
}
This method delegates the task of dynamically loading the specified class to the
Class.forName()
method, which delegates the work to its calling method's class loader.
