All posts by rocco

CWE

CWE-1025 – Comparison Using Wrong Factors

Read Time:32 Second

Description

The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.

This can lead to incorrect results and resultant weaknesses. For example, the code might inadvertently compare references to objects, instead of the relevant contents of those objects, causing two “equal” objects to be considered unequal.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-697

 

Consequences

Other: Varies by Context

 

Potential Mitigations

Phase: Testing

Description: 

Thoroughly test the comparison scheme before deploying code into production. Perform positive testing as well as negative testing.

CVE References

CWE

CWE-103 – Struts: Incomplete validate() Method Definition

Read Time:1 Minute, 18 Second

Description

The application has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate().

If the code does not call super.validate(), the Validation Framework cannot check the contents of the form against a validation form. In other words, the validation framework will be disabled for the given form.

The Struts Validator uses a form’s validate() method to check the contents of the form properties against the constraints specified in the associated validation form. That means the following classes have a validate() method that is part of the validation framework: ValidatorForm, ValidatorActionForm, DynaValidatorForm, and DynaValidatorActionForm. If the code creates a class that extends one of these classes, and if that class implements custom validation logic by overriding the validate() method, the code must call super.validate() in the validate() implementation.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-573
CWE-20

 

Consequences

Other: Other

Disabling the validation framework for a form exposes the application to numerous types of attacks. Unchecked input is the root cause of vulnerabilities like cross-site scripting, process control, and SQL injection.

Confidentiality, Integrity, Availability, Other: Other

Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.

 

Potential Mitigations

Phase: Implementation

Description: 

Implement the validate() method and call super.validate() within that method.

CVE References

CWE

CWE-1037 – Processor Optimization Removal or Modification of Security-critical Code

Read Time:56 Second

Description

The developer builds a security-critical protection mechanism into the software, but the processor optimizes the execution of the program such that the mechanism is removed or modified.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: Low

 

Related Weaknesses

CWE-1038

 

Consequences

Integrity: Bypass Protection Mechanism

A successful exploitation of this weakness will change the order of an application’s execution and will likely be used to bypass specific protection mechanisms. This bypass can be exploited further to potentially read data that should otherwise be unaccessible.

 

Potential Mitigations

CVE References

  • CVE-2017-5715
    • Intel, ARM, and AMD processor optimizations related to speculative execution and branch prediction cause access control checks to be bypassed when placing data into the cache. Often known as “Spectre”.
  • CVE-2017-5753
    • Intel, ARM, and AMD processor optimizations related to speculative execution and branch prediction cause access control checks to be bypassed when placing data into the cache. Often known as “Spectre”.
  • CVE-2017-5754
    • Intel processor optimizations related to speculative execution cause access control checks to be bypassed when placing data into the cache. Often known as “Meltdown”.
CWE

CWE-1038 – Insecure Automated Optimizations

Read Time:25 Second

Description

The product uses a mechanism that automatically optimizes code, e.g. to improve a characteristic such as performance, but the optimizations can have an unintended side effect that might violate an intended security assumption.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: Low

 

Related Weaknesses

CWE-435
CWE-758

 

Consequences

Integrity: Alter Execution Logic

The optimizations alter the order of execution resulting in side effects that were not intended by the original developer.

 

Potential Mitigations

CVE References

CWE

CWE-1039 – Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations

Read Time:32 Second

Description

The product uses an automated mechanism such as machine learning to recognize complex data inputs (e.g. image or audio) as a particular concept or category, but it does not properly detect or handle inputs that have been modified or constructed in a way that causes the mechanism to detect a different, incorrect concept.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-693
CWE-697

 

Consequences

Integrity: Bypass Protection Mechanism

When the automated recognition is used in a protection mechanism, an attacker may be able to craft inputs that are misinterpreted in a way that grants excess privileges.

 

Potential Mitigations

CVE References

CWE

CWE-104 – Struts: Form Bean Does Not Extend Validation Class

Read Time:1 Minute, 1 Second

Description

If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation.

In order to use the Struts Validator, a form must extend one of the following: ValidatorForm, ValidatorActionForm, DynaValidatorActionForm, and DynaValidatorForm. One of these classes must be extended because the Struts Validator ties in to the application by implementing the validate() method in these classes. Forms derived from the ActionForm and DynaActionForm classes cannot use the Struts Validator.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-573
CWE-20

 

Consequences

Other: Other

Bypassing the validation framework for a form exposes the application to numerous types of attacks. Unchecked input is an important component of vulnerabilities like cross-site scripting, process control, and SQL injection.

Confidentiality, Integrity, Availability, Other: Other

Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.

 

Potential Mitigations

Phase: Implementation

Description: 

Ensure that all forms extend one of the Validation Classes.

CVE References

CWE

CWE-1042 – Static Member Data Element outside of a Singleton Class Element

Read Time:19 Second

Description

The code contains a member element that is declared as static (but not final), in which
its parent class element
is not a singleton class – that is, a class element that can be used only once in
the ‘to’ association of a Create action.

Modes of Introduction:

 

 

Related Weaknesses

CWE-1176

 

Consequences

Other: Reduce Performance

 

Potential Mitigations

CVE References

CWE

CWE-1043 – Data Element Aggregating an Excessively Large Number of Non-Primitive Elements

Read Time:14 Second

Description

The software uses a data element that has an excessively large
number of sub-elements with non-primitive data types such as structures or aggregated objects.

Modes of Introduction:

 

 

Related Weaknesses

CWE-1093

 

Consequences

Other: Reduce Performance

 

Potential Mitigations

CVE References