CWE-111: Direct Use of Unsafe JNIWeakness ID: 111 Vulnerability Mapping:
ALLOWEDThis CWE ID may be used to map to real-world vulnerabilities Abstraction: VariantVariant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. |
Description When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that code, even if those weaknesses cannot occur in Java. Extended Description Many safety features that programmers may take for granted do not apply for native code, so you must carefully review all such code for potential problems. The languages used to implement native code may be more susceptible to buffer overflows and other attacks. Native code is unprotected by the security features enforced by the runtime environment, such as strong typing and array bounds checking. Common Consequences This table specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.Scope | Impact | Likelihood |
---|
Access Control
| Technical Impact: Bypass Protection Mechanism | |
Potential Mitigations
Phase: Implementation Implement error handling around the JNI call. |
Phase: Implementation Do not use JNI calls if you don't trust the native library. |
Phase: Implementation Be reluctant to use JNI calls. A Java API equivalent may exist. |
Relationships This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore. Relevant to the view "Research Concepts" (CWE-1000) Nature | Type | ID | Name |
---|
ChildOf | Base - a weakness
that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 695 | Use of Low-Level Functionality |
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore. Relevant to the view "Seven Pernicious Kingdoms" (CWE-700) Nature | Type | ID | Name |
---|
ChildOf | Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. | 20 | Improper Input Validation |
Modes Of Introduction The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase. Demonstrative Examples Example 1 The following code defines a class named Echo. The class declares one native method (defined below), which uses C to echo commands entered on the console back to the user. The following C code defines the native method implemented in the Echo class: (bad code) Example Language: Java
class Echo {
public native void runEcho(); static {
System.loadLibrary("echo");
} public static void main(String[] args) { }
}
(bad code) Example Language: C
#include <jni.h> #include "Echo.h"//the java class above compiled with javah #include <stdio.h>
JNIEXPORT void JNICALL Java_Echo_runEcho(JNIEnv *env, jobject obj) { char buf[64]; gets(buf); printf(buf); }
Because the example is implemented in Java, it may appear that it is immune to memory issues like buffer overflow vulnerabilities. Although Java does do a good job of making memory operations safe, this protection does not extend to vulnerabilities occurring in source code written in other languages that are accessed using the Java Native Interface. Despite the memory protections offered in Java, the C code in this example is vulnerable to a buffer overflow because it makes use of gets(), which does not check the length of its input. The Sun Java(TM) Tutorial provides the following description of JNI [See Reference]: The JNI framework lets your native method utilize Java objects in the same way that Java code uses these objects. A native method can create Java objects, including arrays and strings, and then inspect and use these objects to perform its tasks. A native method can also inspect and use objects created by Java application code. A native method can even update Java objects that it created or that were passed to it, and these updated objects are available to the Java application. Thus, both the native language side and the Java side of an application can create, update, and access Java objects and then share these objects between them. The vulnerability in the example above could easily be detected through a source code audit of the native method implementation. This may not be practical or possible depending on the availability of the C source code and the way the project is built, but in many cases it may suffice. However, the ability to share objects between Java and native methods expands the potential risk to much more insidious cases where improper data handling in Java may lead to unexpected vulnerabilities in native code or unsafe operations in native code corrupt data structures in Java. Vulnerabilities in native code accessed through a Java application are typically exploited in the same manner as they are in applications written in the native language. The only challenge to such an attack is for the attacker to identify that the Java application uses native code to perform certain operations. This can be accomplished in a variety of ways, including identifying specific behaviors that are often implemented with native code or by exploiting a system information exposure in the Java application that reveals its use of JNI [See Reference]. Weakness Ordinalities Ordinality | Description |
Primary | (where the weakness exists independent of other weaknesses) |
Detection Methods
Automated Static Analysis Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) |
Memberships This MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. This information is often useful in understanding where a weakness fits within the context of external information sources. Vulnerability Mapping Notes Usage: ALLOWED (this CWE ID could be used to map to real-world vulnerabilities) | Reason: Acceptable-Use | Rationale: This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. | Comments: Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. |
Taxonomy Mappings Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
7 Pernicious Kingdoms | | | Unsafe JNI |
The CERT Oracle Secure Coding Standard for Java (2011) | SEC08-J | | Define wrappers around native methods |
SEI CERT Oracle Coding Standard for Java | JNI01-J | | Safely invoke standard APIs that perform tasks using the immediate caller's class loader instance (loadLibrary) |
SEI CERT Oracle Coding Standard for Java | JNI00-J | Imprecise | Define wrappers around native methods |
Software Fault Patterns | SFP3 | | Use of an improper API |
References Content History Submissions |
---|
Submission Date | Submitter | Organization |
---|
2006-07-19 (CWE Draft 3, 2006-07-19) | 7 Pernicious Kingdoms | | | Modifications |
---|
Modification Date | Modifier | Organization |
---|
2008-07-01 | Eric Dalci | Cigital | updated Demonstrative_Example, Potential_Mitigations, Time_of_Introduction | 2008-09-08 | CWE Content Team | MITRE | updated Relationships, Other_Notes, References, Taxonomy_Mappings, Weakness_Ordinalities | 2008-11-24 | CWE Content Team | MITRE | updated Description, Other_Notes | 2009-10-29 | CWE Content Team | MITRE | updated Description, Other_Notes | 2011-03-29 | CWE Content Team | MITRE | updated Demonstrative_Examples | 2011-06-01 | CWE Content Team | MITRE | updated Common_Consequences, Relationships, Taxonomy_Mappings | 2012-05-11 | CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | 2013-02-21 | CWE Content Team | MITRE | updated Potential_Mitigations | 2014-07-30 | CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | 2017-11-08 | CWE Content Team | MITRE | updated Causal_Nature, Potential_Mitigations, References | 2019-01-03 | CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | 2020-02-24 | CWE Content Team | MITRE | updated References, Relationships, Type | 2021-03-15 | CWE Content Team | MITRE | updated Description | 2023-04-27 | CWE Content Team | MITRE | updated Detection_Factors, Relationships | 2023-06-29 | CWE Content Team | MITRE | updated Mapping_Notes | 2024-02-29 (CWE 4.14, 2024-02-29) | CWE Content Team | MITRE | updated Demonstrative_Examples | Previous Entry Names |
---|
Change Date | Previous Entry Name |
---|
2008-04-11 | Unsafe JNI | |
More information is available — Please edit the custom filter or select a different filter.
|