1. Access to system properties (2)
  2. Load arbitrary classes (7)
  3. Load arbitrary classes if caller is privileged (20)
  4. Load restricted class (2)
  5. Call arbitrary public methods (1)
  6. Access to arbitrary public method (4)
  7. Lookup MethodHandle (8)
  8. Access to MethodHandles for arbitrary protected methods (2)
  9. Use system class to call arbitrary MethodHandles (4)
  10. Get access to declared methods of a class if caller is privileged (3)
  11. Get access to declared method of a class (3)
  12. Get access to declared field of a class if caller is privileged (6)
  13. Get access to declared field of a class and set it accessible (13)
  14. Get access to declared, non-static fields of a serializable class and set them accessible (1)
  15. Read and write value of an arbitrary non-static field (1)
  16. Get access to declared method of a class and set it accessible (3)
  17. Get access to public constructors of a class (3)
  18. Get access to declared constructors of a class if caller is privileged (4)
  19. Define class in a privileged context (7)
  20. Set of restricted classes that define a user-provided class in a privileged context (22)
  21. Set of restricted classes that set a specified field accessible (9)
  22. Set of restricted classes that provide access to declared fields of non-restricted classes (3)
  23. Set arbitrary members accessible (1)
  24. Restricted field manipulation (5)
  25. Use system class to call arbitrary static methods (10)
  26. Use confused deputy to lookup MethodHandle (12)
  27. Call arbitrary method in privileged context (3)
  28. Call arbitrary instance method in privileged context (1)
  29. Use system class to call arbitrary methods (2)
  30. Use a system class to call a subset of methods (8)
  31. Instantiate arbitrary objects (1)
  32. Instantiate a subset of restricted classes (1)
  33. Create very large file (1)
  34. Call arbitrary method in trusted method chain (3)
  35. Access to MethodHandle of constructor of private inner class (1)
  36. Private PrivilegedAction that provides access to arbitrary no-argument methods and sets them accessible (1)
  37. Unlimited nesting of Object arrays (1)
Title:Access to system properties
ID:systemproperties
Number:1
Type:attacker
Precondition:The names of system properties whose values shall be retrieved.
Postcondition:The values of specified system properties are known to the attacker.
Description:An attacker can arbitrarily specify one or more names of system properties and can then retrieve their respective values.
Justification:The values of system properties should be protected by checking for java.util.PropertyPermission. When using implementations for this primitive, access to these values is possible without having appropriate permissions.
Comments:
Exploits:CVE-2012-5072a, CVE-2012-5072b

Title:Load arbitrary classes
ID:loadarbitraryclasses
Number:2
Type:attacker
Precondition:The names of classes that shall be loaded.
Postcondition:One instance of java.lang.Class for each class that was supposed to be loaded.
Description:An attacker can arbitrarily specify one or more names of classes to be loaded. For each specified class, the attacker will receive an instance of java.lang.Class for the respective type.
Justification:There is a set of restricted classes that should be inaccessible to untrusted code. Some of those restricted classes provide functionality that can be useful to an attacker.
Comments:
Exploits:CVE-2013-0422, CVE-2013-0431, MULTI-CVE-2012-4681-2012-5074, CVE-2012-4681, NO-CVE-12-ibm, NO-CVE-13-ibm, NO-CVE-14-ibm

Title:Load arbitrary classes if caller is privileged
ID:loadarbitraryclassescallerpriv
Number:3
Type:helper
Precondition:The names of classes that shall be loaded and a confused deputy that actually performs the call.
Postcondition:One instance of java.lang.Class for each class that was supposed to be loaded.
Description:An attacker can arbitrarily specify one or more names of classes to be loaded. For each specified class, the attacker will receive an instance of java.lang.Class for the respective type. This only works if the attacker has a way to perform the call on behalf of a privileged class.
Justification:There is a set of restricted classes that should be inaccessible to untrusted code. Preventing access to such classes by only checking the immediate caller is risky and increases the usefulness of confused deputies.
Comments:
Exploits:CVE-2012-5088a, CVE-2012-5088b, CVE-2013-2460, NO-CVE-8-ibm, CVE-2012-5076a1, CVE-2012-5076a2, CVE-2012-5076b, CVE-2012-5076c, CVE-2012-5076d, CVE-2012-5076e, CVE-2012-5076f, CVE-2012-5076g, MULTI-CVE-2012-1682-2012-5076, MULTI-CVE-2012-1682-2012-1726, MULTI-CVE-2012-5076-2012-5088, NO-CVE-10-ibm, NO-CVE-18-ibm, NO-CVE-19-ibm, NO-CVE-20-ibm, NO-CVE-9-ibm

Title:Load restricted class
ID:loadrestricted
Number:4
Type:attacker
Precondition:Name of restricted class that is supposed to be loaded.
Postcondition:Instance of java.lang.Class for the requested type.
Description:An attacker can load an arbitrary restricted class by providing its name.
Justification:Restricted classes provide functionality that can be used to disable the security manager.
Comments:
Exploits:CVE-2013-1489, MULTI-CVE-2012-5075-2012-4681

Title:Call arbitrary public methods
ID:callpublic
Number:5
Type:attacker
Precondition:The object upon which to perform the call, the method name, all arguments to the call.
Postcondition:The method has been called and the return value is available to the attacker.
Description:The attacker provides a target object to call an arbitrary public method with arbitrary arguments.
Justification:The methods of restricted classes should be inaccessible by untrusted code, even if they are public.
Comments:
Exploits:CVE-2012-4681

Title:Access to arbitrary public method
ID:accesspublicmethod
Number:6
Type:attacker
Precondition:Instance of java.lang.Class for the type that declares the method, method name, method parameter types.
Postcondition:Instance of java.lang.reflect.Method for the requested method.
Description:The attacker provides an instance of java.lang.Class for the type that declares the public method, the method name, and its parameter types. In return, the attacker will receive an instance of java.lang.reflect.Method for the specified method.
Justification:There are public methods in restricted classes that should not be available to untrusted code.
Comments:
Exploits:MULTI-CVE-2012-5075-2012-4681, NO-CVE-12-ibm, NO-CVE-13-ibm, NO-CVE-14-ibm

Title:Lookup MethodHandle
ID:lookup
Number:7
Type:helper
Precondition:An instance of java.lang.Class for the type that holds the members, to which the attacker wants a MethodHandle, as well as the names/parameter types of the members. The type whose members shall be accessed needs to be accessible to the caller.
Postcondition:An instance of MethodHandle to the desired member.
Description:An attacker uses MethodHandles.publicLookup() or MethodHandles.lookup() to retrieve a lookup object without using a confused deputy. This object can be used to lookup accessible MethodHandles.
Justification:There is a set of restricted classes that should be inaccessible to untrusted code. This should also include access to their public members. Using reflection to access these members would not be allowed due to access restrictions, getting a MethodHandle, however, is possible.
Comments:
Exploits:CVE-2012-5088a, CVE-2012-5088b, CVE-2013-0422, CVE-2012-5076a2, MULTI-CVE-2012-0547-2012-1726, MULTI-CVE-2012-1682-2012-1726, MULTI-CVE-2012-5076-2012-5088, NO-CVE-27

Title:Access to MethodHandles for arbitrary protected methods
ID:accesstoprotectedmethods
Number:8
Type:attacker
Precondition:Class file manipulation is required, the type whose protected method shall be accessed must not be final.
Postcondition:An instance of MethodHandle to the desired method.
Description:Using this primitive requires class file manipulation. The manipulated class file can be used to obtain an instance of MethodHandle to a protected method.
Justification:There is a set of protected methods in system classes that can be used to disable all security checks.
Comments:
Exploits:CVE-2013-2436, NO-CVE-22-ibm

Title:Use system class to call arbitrary MethodHandles
ID:callanymethodhandlefromsystemclass
Number:9
Type:attacker
Precondition:The MethodHandle of the method to be invoked from a system class.
Postcondition:The method that is referenced by the provided MethodHandle has been called by a system class and the return value can be obtained by the attacker.
Description:An attacker can provide an instance of MethodHandle and then invoke the method in such a way, that the called method's immediate caller is a system class (confused deputy). This can be benificial, if the called method is caller-sensitive and makes security-related decisions dependent on the immediate caller.
Justification:There are caller-sensitive methods in the JCL that make security-related decisions dependent on their immediate callers. Security checks may be bypassed if an attacker uses a confused deputy to call such a method, instead of calling it immediately.
Comments:
Exploits:CVE-2012-5088a, CVE-2012-5088b, CVE-2012-5076a2, MULTI-CVE-2012-5076-2012-5088

Title:Get access to declared methods of a class if caller is privileged
ID:getdeclaredmethodpriv
Number:10
Type:helper
Precondition:Instance of java.lang.Class for the type whose methods shall be accessed.
Postcondition:Array of java.lang.reflect.Method with all declared methods of the specified type.
Description:An attacker provides an instance of java.lang.Class for an arbitrary type whose methods shall be accessed. In return, the attacker will receive an array of java.lang.reflect.Method with all declared methods of the specified type, including public, protected, default, and private methods, but excluding inherited methods. This only works if the attacker has a way to perform the call on behalf of a privileged class.
Justification:An attacker can utilize a confused deputy to violate visibility rules and access members of restricted classes.
Comments:
Exploits:CVE-2012-5088b, CVE-2013-0431, CVE-2013-1489

Title:Get access to declared method of a class
ID:getdeclaredmethod
Number:11
Type:attacker
Precondition:Instance of java.lang.Class for the type whose method shall be accessed, the method name, and its parameter types.
Postcondition:Instance of java.lang.reflect.Method.
Description:An attacker provides a class, a method name, and the method's parameter types in order to get an instance of java.lang.reflect.Method for the specified member.
Justification:An attacker can bypass visibility rules to get access to methods (e.g., private methods), that were intended to be restricted.
Comments:
Exploits:NO-CVE-11-ibm, CVE-2012-5076, MULTI-CVE-2012-4681-2012-5074

Title:Get access to declared field of a class if caller is privileged
ID:getdeclaredfieldpriv
Number:12
Type:helper
Precondition:Instance of java.lang.Class for the type whose field shall be accessed, as well as the field's name.
Postcondition:Instance of java.lang.reflect.Field
Description:An attacker provides an instance of java.lang.Class for an arbitrary type whose declared field shall be accessed, as well as the field's name. In return, the attacker will receive an instance of java.lang.reflect.Field for the specified field. Access is possible to public, protected, default, or private fields, but not to inherited fields. This only works if the attacker has a way to perform the call on behalf of a privileged class.
Justification:An attacker can utilize a confused deputy to get access to fields that should be inaccessible to untrusted code.
Comments:
Exploits:NO-CVE-8-ibm, NO-CVE-10-ibm, NO-CVE-18-ibm, NO-CVE-19-ibm, NO-CVE-20-ibm, NO-CVE-9-ibm

Title:Get access to declared field of a class and set it accessible
ID:getdeclaredfieldaccess
Number:13
Type:attacker
Precondition:Instance of java.lang.Class for the type whose field shall be accessed, as well as its name.
Postcondition:Instance of java.lang.reflect.Field, and this field has been set accessible.
Description:An attacker provides an instance of java.lang.Class for an arbitrary type whose declared field shall be accessed, as well as the field's name. In return, the attacker will receive an instance of java.lang.reflect.Field for the specified field that was also set to be accessible.
Justification:This provides access to private fields of system classes.
Comments:
Exploits:CVE-2012-1726, CVE-2012-5076a1, CVE-2012-5076b, CVE-2012-5076c, CVE-2012-5076d, CVE-2012-5076e, CVE-2012-5076f, CVE-2012-5076g, MULTI-CVE-2012-0547-2012-1726, MULTI-CVE-2012-4681-2012-5074, CVE-2012-4681, MULTI-CVE-2012-1682-2012-1726, MULTI-CVE-2012-5075-2012-4681

Title:Get access to declared, non-static fields of a serializable class and set them accessible
ID:getdeclarednonstaticserializablefield
Number:14
Type:attacker
Precondition:Serializable class whose non-static fields shall be accessed.
Postcondition:Array of java.lang.reflect.Field that contains all declared, non-static fields of the specified type. Each field has been set accessible.
Description:An attacker provides a serializable class whose declared, non-static fields shall be accessed. In return, the attacker receives an array of Field that contains all declared, non-static fields of the specified type. Each field has been set accessible.
Justification:This provides access to private fields of system classes.
Comments:
Exploits:NO-CVE-26-ibm

Title:Read and write value of an arbitrary non-static field
ID:readwritefields
Number:15
Type:attacker
Precondition:Object whose instance field shall be read or written, the index of the target field in the target instance.
Postcondition:Field value has been read or written.
Description:The attacker provides an object that contains a field that is to be read or written, as well as the index of that target field. The index is determined by the order of declaration and does not consider static fields. If a value is to be written, the attacker also has to provide the new value.
Justification:This provides access to private field values of system classes.
Comments:
Exploits:NO-CVE-24-ibm

Title:Get access to declared method of a class and set it accessible
ID:getdeclaredmethodaccess
Number:16
Type:attacker
Precondition:Instance of java.lang.Class for the type whose method shall be accessed, as well as its name.
Postcondition:Instance of java.lang.reflect.Method, and this method has been set accessible.
Description:An attacker provides an instance of java.lang.Class for an arbitrary type whose declared method shall be accessed, as well as the method's name and parameter types. In return, the attacker will receive an instance of java.lang.reflect.Method for the specified method that was also set to be accessible.
Justification:This provides access to private methods of system classes.
Comments:
Exploits:CVE-2012-1726, MULTI-CVE-2012-4681-2012-5074, MULTI-CVE-2012-5075-2012-4681

Title:Get access to public constructors of a class
ID:getpublicconstructor
Number:17
Type:attacker
Precondition:Instance of java.lang.Class for the type whose constructor shall be accessed, and its parameter types.
Postcondition:Instance of java.lang.reflect.Constructor.
Description:An attacker provides a class, and the constructors's parameter types in order to get an instance of java.lang.reflect.Constructor for the specified type.
Justification:An attacker can use this to get access to constructors of restricted classes.
Comments:
Exploits:NO-CVE-12-ibm, NO-CVE-13-ibm, NO-CVE-14-ibm

Title:Get access to declared constructors of a class if caller is privileged
ID:getdeclaredconstructorpriv
Number:18
Type:helper
Precondition:Instance of java.lang.Class for the type whose constructor shall be accessed, as well as an array of its parameter types.
Postcondition:Instance of java.lang.reflect.Constructor
Description:An attacker provides an instance of java.lang.Class for an arbitrary type whose constructor shall be accessed, as well as an array of its parameter types. In return, the attacker will receive an instance of java.lang.reflect.Constructor for the specified constructor. This only works if the attacker has a way to perform the call on behalf of a privileged class.
Justification:An attacker can utilize a confused deputy to get access to a constructor of a restricted class.
Comments:
Exploits:NO-CVE-8-ibm, NO-CVE-10-ibm, NO-CVE-19-ibm, NO-CVE-9-ibm

Title:Define class in a privileged context
ID:definepriv
Number:19
Type:attacker
Precondition:Representation of the class to be defined.
Postcondition:Instance of java.lang.Class that was defined in a privileged context.
Description:The attacker provides a representation of a class (e.g., a byte array) that is supposed to be defined in a privileged context. Using this primitive will then define the class and return an instance of java.lang.Class.
Justification:Untrusted code should be incapable of defining classes in a privileged context, because they can be used to bypass all security checks.
Comments:
Exploits:CVE-2008-5353, CVE-2010-0094, CVE-2012-0507, NO-CVE-15-ibm, NO-CVE-21-ibm, NO-CVE-28-ibm, NO-CVE-29-ibm

Title:Set of restricted classes that define a user-provided class in a privileged context
ID:restricteddefinepriv
Number:20
Type:helper
Precondition:Instances of java.lang.Class for the required restricted classes, a way to call the required methods, and a byte-array of the class to be defined.
Postcondition:An instance of java.lang.Class that was defined in a privileged context for the type that is represented by the byte-array.
Description:The attacker needs a way to get access to a set of restricted classes, that provide functionality for defining classes in a privileged context. Then, the attacker needs to find a way to get access to that functionality. Finally, the attacker calls this functionality by providing a byte-array that represents the type to be defined.
Justification:Untrusted code should be incapable of defining classes in a privileged context, because they can be used to bypass all security checks. Providing a set of restricted classes that offer such functionality without performing a permission check is risky, because an attacker may find a way to get access to those classes and their methods.
Comments:
Exploits:CVE-2012-1726, CVE-2012-5088a, CVE-2012-5088b, CVE-2013-0422, CVE-2013-0431, CVE-2013-2460, CVE-2012-5076, CVE-2012-5076a1, CVE-2012-5076a2, CVE-2012-5076b, CVE-2012-5076c, CVE-2012-5076d, CVE-2012-5076e, CVE-2012-5076f, CVE-2012-5076g, MULTI-CVE-2012-0547-2012-1726, MULTI-CVE-2012-1682-2012-5076, MULTI-CVE-2012-4681-2012-5074, CVE-2013-1489, MULTI-CVE-2012-1682-2012-1726, MULTI-CVE-2012-5075-2012-4681, MULTI-CVE-2012-5076-2012-5088

Title:Set of restricted classes that set a specified field accessible
ID:restrictedsetaccessible
Number:21
Type:helper
Precondition:Instances of java.lang.Class for the required restricted classes, and a way to call the required methods. An instance of java.lang.reflect.Field for the field that shall be set accessible.
Postcondition:The specified field is accessible.
Description:The attacker needs a way to get access to the set of restricted classes and a way to call those methods, that will set a specified field accessible.
Justification:If an attacker finds a way to get reflective access to a critical field that is supposed to be inaccessible (e.g., a private field), this primitive can be used to make it accessible nevertheless. This bypasses visibility rules and allows untrusted code to access members, that were intended to be restricted.
Comments:
Exploits:NO-CVE-8-ibm, NO-CVE-10-ibm, NO-CVE-12-ibm, NO-CVE-13-ibm, NO-CVE-14-ibm, NO-CVE-18-ibm, NO-CVE-19-ibm, NO-CVE-20-ibm, NO-CVE-9-ibm

Title:Set of restricted classes that provide access to declared fields of non-restricted classes
ID:restrictedgetfields
Number:22
Type:helper
Precondition:Instances of java.lang.Class for the required restricted classes, and a way to call the required methods. An instance of java.lang.Class that contains the fields that are supposed to be accessed.
Postcondition:Instances of java.lang.reflect.Field of all declared fields of the specified type.
Description:The attacker needs a way to get access to the set of restricted classes and a way to call the required methods. The attacker then provides an instance of java.lang.Class for the target type and receives an array of java.lang.reflect.Field for all declared fields of the specified type. The target type must not be a restricted class.
Justification:This provides access to private fields of system classes.
Comments:
Exploits:NO-CVE-12-ibm, NO-CVE-13-ibm, NO-CVE-14-ibm

Title:Set arbitrary members accessible
ID:setaccessible
Number:23
Type:attacker
Precondition:Instances of java.lang.reflect.AccessibleObject for the members that shall be set accessible.
Postcondition:The specified members are accessible.
Description:The attacker can use this primitive to set arbitrary class members accessible. An instance of java.lang.reflect.AccessibleObject is required.
Justification:An attacker can get access to critical members that were supposed to be inaccessible (e.g., private members).
Comments:
Exploits:NO-CVE-11-ibm

Title:Restricted field manipulation
ID:restrictedfieldmanipulation
Number:24
Type:attacker
Precondition:Information about field location in memory.
Postcondition:A certain field value has been modified.
Description:The attacker can modify field values through memory manipulation. For this, the attacker may require information about field locations in memory. The memory locations that can be modified may be restricted and are determined by the implementation.
Justification:Modifying field values through memory manipulation can be used to bypass visibility restrictions. Modifying values of private fields of system classes can be used to disable all security checks.
Comments:
Exploits:CVE-2013-2423, CVE-2013-2465, CVE-2013-1475, NO-CVE-27, NO-CVE-3

Title:Use system class to call arbitrary static methods
ID:callstaticfromsystemclass
Number:25
Type:attacker
Precondition:Instance of java.lang.reflect.Method that is supposed to be called from a system class.
Postcondition:The specified method has been called and the return value is available to the attacker.
Description:The attacker provides an instance of java.lang.reflect.Method that represents an arbitrary static method. Using this primitive calls this Method from a system class and delivers the return value.
Justification:There are caller-sensitive methods in the JCL that make security-related decisions dependent on their immediate callers. Security checks may be bypassed if an attacker uses a confused deputy to call such a method, instead of calling it immediately. Also, methods in restricted classes should be inaccessible to untrusted code.
Comments:
Exploits:CVE-2013-2460, CVE-2012-5076a1, CVE-2012-5076a2, CVE-2012-5076b, CVE-2012-5076c, CVE-2012-5076d, CVE-2012-5076e, CVE-2012-5076f, CVE-2012-5076g, MULTI-CVE-2012-5076-2012-5088

Title:Use confused deputy to lookup MethodHandle
ID:lookupcd
Number:26
Type:helper
Precondition:Instance of java.lang.Class that contains the member, for which a MethodHandle shall be retrieved, as well as its name and parameter types.
Postcondition:Instance of MethodHandle for the specified member.
Description:There are various ways on how to use the MethodHandles API, parts of it are caller-sensitive. An attacker can use a confused deputy to retrieve a lookup object (using MethodHandles.lookup()), which can be used to access members that are accessible to the confused deputy, but should be inaccessible to untrusted code. There are also other caller-sensitive methods in the MethodHandles API that can be used by an attacker.
Justification:If an attacker finds a way to receive the lookup object on behalf of a system class, she may get access to otherwise inaccessible members.
Comments:
Exploits:CVE-2013-2460, CVE-2012-5076a1, CVE-2012-5076a2, CVE-2012-5076b, CVE-2012-5076c, CVE-2012-5076d, CVE-2012-5076e, CVE-2012-5076f, CVE-2012-5076g, MULTI-CVE-2012-5076-2012-5088, NO-CVE-18-ibm, NO-CVE-20-ibm

Title:Call arbitrary method in privileged context
ID:callpriv
Number:27
Type:attacker
Precondition:Instance of java.lang.reflect.Method that is supposed to be called. If this method is not static, also the object upon which this method shall be called is required. All arguments for the method call.
Postcondition:The method has been called by a system class within a doPrivileged-block and the return value is available to the attacker.
Description:An attacker provides an instance of java.lang.reflect.Method that is supposed to be called within a doPrivileged-block of a system class. The method can be called with arbitrary arguments and the return value is available to the attacker.
Justification:If untrusted code manages to call arbitrary methods in a privileged context, all restrictions imposed by the runtime can be bypassed.
Comments:
Exploits:NO-CVE-6-ibm, NO-CVE-25-ibm, NO-CVE-7-ibm

Title:Call arbitrary instance method in privileged context
ID:callinstanceprivileged
Number:28
Type:attacker
Precondition:Instance of java.lang.reflect.Method for the instance method that is supposed to be called, the object that contains the method, and all arguments.
Postcondition:The method has been called by a system class within a doPrivileged-block and the return value is available to the attacker.
Description:An attacker provides an instance of java.lang.reflect.Method for the instance method that is supposed to be called within a doPrivileged-block of a system class, as well as the object that contains the method. The call can be performed with arbitrary arguments and the return value is available to the attacker.
Justification:A combination of certain instance methods can be used to disable all security checks, if they can be executed within a privileged context.
Comments:
Exploits:NO-CVE-30-ibm

Title:Use system class to call arbitrary methods
ID:callmethodfromsystemclass
Number:29
Type:attacker
Precondition:Class name, method name, an object upon which to perform the call, call arguments.
Postcondition:The specified method has been called with the specified arguments from a system class and the return value is available to the attacker.
Description:The attacker provides a class name, method name, arguments, and an object upon which to perform the call. Using this primitive will then call the specified method with the specified arguments through a system class and return the return value to the attacker.
Justification:There are caller-sensitive methods in the JCL that make security-related decisions dependent on their immediate callers. Security checks may be bypassed if an attacker uses a confused deputy to call such a method, instead of calling it immediately. Also, methods in restricted classes should be inaccessible to untrusted code.
Comments:
Exploits:MULTI-CVE-2012-1682-2012-5076, MULTI-CVE-2012-1682-2012-1726

Title:Use a system class to call a subset of methods
ID:callsubsetfromsystemclass
Number:30
Type:attacker
Precondition:Specification of which method to call, depends on the implementation.
Postcondition:The specified method has been called through a system class and the return value is available to the attacker.
Description:Using this primitive will allow an attacker to use a system class to call a specified method and retrieve the return value. This only works for a subset of methods, which is determined by the implementation.
Justification:There are caller-sensitive methods in the JCL that make security-related decisions dependent on their immediate callers. Security checks may be bypassed if an attacker uses a confused deputy to call such a method, instead of calling it immediately.
Comments:
Exploits:CVE-2013-0431, NO-CVE-8-ibm, CVE-2013-1489, NO-CVE-10-ibm, NO-CVE-18-ibm, NO-CVE-19-ibm, NO-CVE-20-ibm, NO-CVE-9-ibm

Title:Instantiate arbitrary objects
ID:instantiate
Number:31
Type:attacker
Precondition:Class name, arguments.
Postcondition:Instance of java.lang.Object.
Description:The attacker provides a class name for the type that is supposed to be instantiated, as well as all arguments to the constructor, that shall be used for instantiation. In return, the attacker will receive an instance of java.lang.Object for the type.
Justification:Untrusted code should be incapable of instantiating restricted classes.
Comments:
Exploits:CVE-2012-5076

Title:Instantiate a subset of restricted classes
ID:instantiatesubset
Number:32
Type:attacker
Precondition:Class name, arguments.
Postcondition:Instance of java.lang.Object.
Description:The attacker provides a class name for the type that is supposed to be instantiated, as well as the required arguments to the constructor. In return, the attacker will receive an instance of java.lang.Object for the type. This only works for a subset of restricted classes, which is determined by the implementations.
Justification:Untrusted code should be incapable of instantiating restricted classes.
Comments:
Exploits:MULTI-CVE-2012-5075-2012-5071

Title:Create very large file
ID:verylargefile
Number:33
Type:attacker
Precondition:
Postcondition:A very large file is created on the filesystem.
Description:The attacker is able to create a huge file on the filesystem of the system.
Justification:Untrusted code should not be able to write huge file on the filesystem.
Comments:
Exploits:CVE-2006-2426

Title:Call arbitrary method in trusted method chain
ID:executemethodastrusted
Number:34
Type:attacker
Precondition:Some implementations may require the instance upon which to perform the method call.
Postcondition:A specified method has been called within a trusted method chain.
Description:The attacker initiates a new thread, e.g., using GUI functionality, that only contains trusted classes. The attacker is able to influence the control flow of the thread by setting certain variables to specific values, e.g., setting scripts that will be evaluated dynamically by a trusted class. In effect, the thread will perform a specific method call that is profitable to the attacker.
Justification:Performing arbitrary method calls within a trusted method chain can be used by an attacker to bypass permission checks.
Comments:
Exploits:CVE-2010-0840, CVE-2011-3544, CVE-2013-1488

Title:Access to MethodHandle of constructor of private inner class
ID:accessprivateinnerclasses
Number:35
Type:attacker
Precondition:
Postcondition:A MethodHandle pointing to the constructor of a private inner class.
Description:The attacker is able to access a private inner class by using MethodHandles. He can receive a MethodHandle to the constructor of such class.
Justification:Private inner classes should not be accessible from outside classes.
Comments:
Exploits:CVE-2012-1726

Title:Private PrivilegedAction that provides access to arbitrary no-argument methods and sets them accessible
ID:accessprivatemethodsprivaction
Number:36
Type:helper
Precondition:Access to private PrivilegedAction, instance of java.lang.Class for the type whose method shall be accessed, as well as the method's name
Postcondition:An instance of java.lang.reflect.Method for the specified method, which was set accessible.
Description:The attacker uses a private PrivilegedAction to get access to specified methods of specified classes.
Justification:Unauthorized access to private methods of other classes violates information hiding.
Comments:
Exploits:CVE-2012-1726

Title:Unlimited nesting of Object arrays
ID:unlimitednesting
Number:37
Type:attacker
Precondition:
Postcondition:JVM crashes
Description:An attacker provides an infnite loop creating an object array (Object[]) and initializes it with a static Object. Afterwards he assigns the object array to the Object. After a few seconds the JVM crashes.
Justification:The JVM should provide an error message instead of crashing.
Comments:
Exploits:CVE-2003-1301


File created: 2016-10-21 14:48:23.558320 -- home