Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What are common Java vulnerabilities?

Tags:

java

security

What are common Java vulnerabilities that can be exploited to gain some sort of access to a system? I have been thinking about it recently, and havent been able to come up with much of anything - integer overflow - maybe? race condition - what does it give you?

I am not looking for things like "sql injection in a web app". I am looking for a relationship similar to buffer overflow - c/c++.

Any security experts out there that can help out? Thanks.

like image 261
wuntee Avatar asked Jul 21 '10 17:07

wuntee


People also ask

Does Java have security issues?

Since late 2011, a multitude of critical vulnerabilities has been discovered in Oracle's Java platform. In many cases, running the latest available versions of Java offers no protection for users. To date, at least eight zero-day attacks targeted the Java platform, affecting millions of systems.

What are the three common vulnerabilities?

Network vulnerabilities come in many forms but the most common types are: Malware, short for malicious software, such as Trojans, viruses, and worms that are installed on a user's machine or a host server.

Why is Java considered a security risk?

As you can see, most vulnerabilities in Java pose serious security risks, because they allow cyber criminals to execute code or bypass something (usually defense mechanisms), both situations being strong attack vectors. And most of attacks which target Java are carried out via exploits.


2 Answers

Malicious Code injection.

Because Java (or any language using an interpreter at runtime), performs linkage at runtime, it is possible to replace the expected JARs (the equivalent of DLLs and SOs) with malicious ones at runtime.

This is a vulnerability, which is combated since the first release of Java, using various mechanisms.

  • There are protections in places in the classloaders to ensure that java.* classes cannot be loaded from outside rt.jar (the runtime jar).
  • Additionally, security policies can be put in place to ensure that classes loaded from different sources are restricted to performing only a certain set of actions - the most obvious example is that of applets. Applets are constrained by the Java security policy model from reading or writing the file system etc; signed applets can request for certain permissions.
  • JARs can also be signed, and these signatures can be verified at runtime when they're loaded.
  • Packages can also be sealed to ensure that they come from the same codesource. This prevents an attacker from placing classes into your package, but capable of performing 'malicious' operations.

If you want to know why all of this is important, imagine a JDBC driver injected into the classpath that is capable of transmitting all SQL statements and their results to a remote third party. Well, I assume you get the picture now.

like image 139
Vineet Reynolds Avatar answered Sep 27 '22 18:09

Vineet Reynolds


After reading most of the responses I think your question has been answered in an indirect way. I just wanted to point this out directly. Java doesn't suffer from the same problems you see in C/C++ because it protects the developer from these types of memory attacks (buffer overflow, heap overflow, etc). Those things can't happen. Because there is this fundamental protection in the language security vulnerabilities have moved up the stack.

They're now occurring at a higher level. SQL injection, XSS, DOS, etc. You could figure out a way to get Java to remotely load malicious code, but to do that would mean you'd need to exploit some other vulnerability at the services layer to remotely push code into a directory then trigger Java to load through a classloader. Remote attacks are theoretically possible, but with Java it's more complicated to exploit. And often if you can exploit some other vulnerability then why not just go after and cut java out of the loop. World writable directories where java code is loaded from could be used against you. But at this point is it really Java that's the problem or your sys admin or the vendor of some other service that is exploitable?

The only vulnerabilities that pose remote code potential I've seen in Java over the years have been from native code the VM loads. The libzip vulnerability, the gif file parsing, etc. And that's only been a handful of problems. Maybe one every 2-3 years. And again the vuln is native code loaded by the JVM not in Java code.

As a language Java is very secure. Even these issues I discussed that can be theoretically attacked have hooks in the platform to prevent them. Signing code thwarts most of this. However, very few Java programs run with a Security Manager installed. Mainly because of performance, usability, but mainly because these vulns are very limited in scope at best. Remote code loading in Java hasn't risen to epidemic levels that buffer overflows did in the late 90s/2000s for C/C++.

Java isn't bullet proof as a platform, but it's harder to exploit than the other fruit on the tree. And hackers are opportunistic and go for that low hanging fruit.

like image 28
chubbsondubs Avatar answered Sep 27 '22 18:09

chubbsondubs