Java Reference
In-Depth Information
Because the calling method is MBeanInstantiator.loadClass() , the core class loader
is used, which provides no security checks.
Compliant Solution (CVE-2013-0422)
Oracle mitigated this vulnerability in Java 1.7.0 update 11 by adding an access check to
the MBeanInstantiator.loadClass() method. This access check ensures that the caller
is permitted to access the class being sought:
Click here to view code image
// ...
if (className == null) {
throw new RuntimeOperationsException(
new IllegalArgumentException(
"The class name cannot be null"),
"Exception occurred during object instantiation");
}
ReflectUtil.checkPackageAccess(className);
try {
if (loader == null)
// ...
Applicability
Allowing untrusted code to invoke methods with reduced-security checks can result in
privilege escalation. Likewise, allowing untrusted code to perform actions using the im-
mediate caller's class loader may allow the untrusted code to execute with the same priv-
ileges as the immediate caller.
Methods that avoid using the immediate caller's class loader instance fall outside the
scope of this guideline. For example, the three-argument java.lang.Class.forName()
method requires an explicit argument that specifies the class loader instance to use.
Click here to view code image
public static Class forName(String name, boolean initialize,
ClassLoader loader) throws ClassNotFoundException
Do not use the immediate caller's class loader as the third argument when instances
must be returned to untrusted code.
Previous Page
Next Page
Java Coding Guidelines
Search WWH ::




Custom Search
Home