Many static methods in standard java APIs vary their behavior according to the immediate caller's class. Such methods are considered to be caller-sensitive. For example, the java.lang.System.loadLibrary(library) method uses the immediate caller's class loader to find and dynamically load the specified library containing native method definitions. Because native code bypasses all of the security checks enforced by the Java Runtime Environment, only trusted code should be allowed to load libraries dynamically.
Failure to define wrappers around native methods can allow unprivileged callers to invoke them and exploit inherent vulnerabilities such as buffer overflows in native libraries.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
JNI01-J | P27 | L1 |
CWE-111. Direct use of unsafe JNI | |
Secure Coding Guidelines for the Java Programming Language, Version 4.0 | Guideline 9-9. Safely invoke standard APIs that perform tasks using the immediate caller's class loader instance |
[JNI 2006] |
|
|