SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 142

changes.mady.by.user Arthur Hicken

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM cost reform

...

Allowing untrusted code to load classes enables untrusted code to replace benign classes with Trojan classes.

Rule

Severity

Likelihood

Remediation Cost

Detectable

Repairable

Priority

Level

SEC03-J

high

probable

No

medium

No

P12

P6

L1

L2

Automated Detection

ToolVersionCheckerDescription
Parasoft Jtest9.5
SECURITY
CERT.
BV
SEC03.ACL
Implemented
Do not access the class loader in a web component

Related Guidelines

Secure Coding Guidelines for the Java Programming Language, Version 3.0

Guideline 6-3. Safely invoke standard APIs that bypass SecurityManager checks depending on the immediate caller's class loader

Android Implementation Details

On Android, the use of DexClassLoader or PathClassLoader requires caution.

Bibliography

[CVE 2011]

CVE-2009-0783

[Gong 2003]

Section 4.3.2, Class Loader Delegation Hierarchy

[JLS 2005]

§4.3.2, The Class Object

[Tomcat 2009]

Bug ID 29936, API Class org.apache.tomcat.util.digester.Digester, Security fix in v 6.0.20

...


...