https://wiki.owasp.org/index.php?action=history&feed=atom&title=CRV2_RevCodeReflectedAntiPatternJavaCRV2 RevCodeReflectedAntiPatternJava - Revision history2026-04-04T14:12:39ZRevision history for this page on the wikiMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=CRV2_RevCodeReflectedAntiPatternJava&diff=159688&oldid=prevJohanna Curiel at 20:16, 3 October 20132013-10-03T20:16:26Z<p></p>
<table class="diff diff-contentalign-left" data-mw="interface">
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;' lang='en'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 20:16, 3 October 2013</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l8" >Line 8:</td>
<td colspan="2" class="diff-lineno">Line 8:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>In order to avoid this security issues, make sure that  </div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>In order to avoid this security issues, make sure that  </div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>*Java Runtime Environment (JRE) is higher that Java SE 7 Update 6 version</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>*Java Runtime Environment (JRE) is higher that Java SE 7 Update 6 version</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>*<del class="diffchange diffchange-inline">the use </del>of classes such as com.sun.beans.finder.ClassFinder.findClass</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>*<ins class="diffchange diffchange-inline">Correct implementtion </ins>of classes such as com.sun.beans.finder.ClassFinder.findClass  </div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>*Private structure using AccessibleObject.setAccessible because it breaks the encapsulation</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>*<ins class="diffchange diffchange-inline">Avoid </ins>Private structure using AccessibleObject.setAccessible because it breaks the encapsulation</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>*Use of sun.misc.Unsafe <del class="diffchange diffchange-inline">providing </del>direct access to memory</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>*<ins class="diffchange diffchange-inline">Avoid </ins>Use of sun.misc.Unsafe <ins class="diffchange diffchange-inline">because it provides </ins>direct access to memory</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>*Verify correct Implementation of java.lang.reflect.ReflectPermission following best practices as described in Oracle Documents, September 2011</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>*Verify correct Implementation of java.lang.reflect.ReflectPermission following best practices as described in Oracle Documents, September 2011</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
</table>Johanna Curielhttps://wiki.owasp.org/index.php?title=CRV2_RevCodeReflectedAntiPatternJava&diff=159673&oldid=prevJohanna Curiel: Created page with "=Reflection Security Issues= Java reflection is a mechanism used by Java programs given them the ability to change the runtime actions of the application running within the J..."2013-10-03T15:43:54Z<p>Created page with "=Reflection Security Issues= Java reflection is a mechanism used by Java programs given them the ability to change the runtime actions of the application running within the J..."</p>
<p><b>New page</b></p><div>=Reflection Security Issues=<br />
<br />
Java reflection is a mechanism used by Java programs given them the ability to change the runtime actions of the application running within the Java Virtual Machine (JVM). It makes it easier for developers to write programs because it helps gather information to implement proper analysis by the software itself (Schildt, 2011), however it compromises the systems because malware can easily bypass the security around the JVM.<br />
<br />
Two security vulnerabilities found regarding the use of Java Reflection are CVE-2012-4681 and CVE-2012-5076. Both of them are related to Java Applets and another common factor is the use of Java reflection.<br />
<br />
==What to look in the code==<br />
In order to avoid this security issues, make sure that <br />
*Java Runtime Environment (JRE) is higher that Java SE 7 Update 6 version<br />
*the use of classes such as com.sun.beans.finder.ClassFinder.findClass<br />
*Private structure using AccessibleObject.setAccessible because it breaks the encapsulation<br />
*Use of sun.misc.Unsafe providing direct access to memory<br />
*Verify correct Implementation of java.lang.reflect.ReflectPermission following best practices as described in Oracle Documents, September 2011<br />
<br />
==References==<br />
<br />
Schildt Hebert, 2011 ‘Java: The complete Reference, 8th Edition ‘ McGraw-Hill <br />
<br />
Common Vulnerabilities and Exposure, 2012 ‘CVE-2012-4681’, available at (http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4681) last viewed on October 3rd, 2013<br />
<br />
Oracle Documents, 2011 “Permissions in the Java 2 SDK’ available at http://docs.oracle.com/javase/1.4.2/docs/guide/security/permissions.html#ReflectPermission, last viewed on October 3rd, 2013</div>Johanna Curiel