You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@fineract.apache.org by "Thisura (JIRA)" <ji...@apache.org> on 2017/04/21 20:22:04 UTC
[jira] [Updated] (FINERACT-436) Fix security vulnerabilities
related to using public mutable and nonconstant fields
[ https://issues.apache.org/jira/browse/FINERACT-436?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Thisura updated FINERACT-436:
-----------------------------
Description:
There are multiple security vulnerabilities found in fineract-provider as described in [this report \[1\]|https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4]
There are four types of vulnerabilities related to using public mutable and nonconstant fields.
1. Mutable fields should not be "public static"
* MITRE, CWE-582 - Array Declared Public, Final, and Static
* MITRE, CWE-607 - Public Static Final Field References Mutable Object
2. "static final" arrays should be "private"
* MITRE, CWE-582 - Array Declared Public, Final, and Static
* MITRE, CWE-607 - Public Static Final Field References Mutable Object
3. "public static" fields should be constant
* MITRE, CWE-500 - Public Static Field Not Marked Final
* CERT OBJ10-J - Do not use public static nonfinal variable
4. "enum" fields should not be publicly mutable
The reported incident of type 2 is considered to be false positive. 1,3,4 types are present as described in the [report\[1\]|https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4]
The proposed [solutions\[2\]|https://drive.google.com/open?id=1TdwwHM2K1gMb6qILEX7gmzU8dVXcHGBdh569aFJfB2U] are as follows.(Solutions are respective to each vulnerability type above)
1. Mutable fields should not be "public static" => Make the respective members protected. If they are in a class move them to a separate class and lower the visibility.
2. "static final" arrays should be "private" => Make the arrays private
3. "public static" fields should be constant => Make the respective field final
4. "enum" fields should not be publicly mutable => Lower the visibility of the setter. Remove it altogether.
\[1\] https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4
\[2\] https://drive.google.com/open?id=1TdwwHM2K1gMb6qILEX7gmzU8dVXcHGBdh569aFJfB2U
was:
There are multiple security vulnerabilities found in fineract-provider as described in [this report \[1\]|https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4]
There are four types of vulnerabilities related to using public mutable and nonconstant fields.
1. Mutable fields should not be "public static"
* MITRE, CWE-582 - Array Declared Public, Final, and Static
* MITRE, CWE-607 - Public Static Final Field References Mutable Object
2. "static final" arrays should be "private"
* MITRE, CWE-582 - Array Declared Public, Final, and Static
* MITRE, CWE-607 - Public Static Final Field References Mutable Object
3. "public static" fields should be constant
* MITRE, CWE-500 - Public Static Field Not Marked Final
* CERT OBJ10-J - Do not use public static nonfinal variable
4. "enum" fields should not be publicly mutable
The reported incident of type 2 is considered to be false positive. 1,3,4 types are present as described in the [report|https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4\[1\]]
The proposed [solutions|https://drive.google.com/open?id=1TdwwHM2K1gMb6qILEX7gmzU8dVXcHGBdh569aFJfB2U\[2\]] are as follows.(Solutions are respective to each vulnerability type above)
1. Mutable fields should not be "public static" => Make the respective members protected. If they are in a class move them to a separate class and lower the visibility.
2. "static final" arrays should be "private" => Make the arrays private
3. "public static" fields should be constant => Make the respective field final
4. "enum" fields should not be publicly mutable => Lower the visibility of the setter. Remove it altogether.
\[1\] https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4
\[2\] https://drive.google.com/open?id=1TdwwHM2K1gMb6qILEX7gmzU8dVXcHGBdh569aFJfB2U
> Fix security vulnerabilities related to using public mutable and nonconstant fields
> -----------------------------------------------------------------------------------
>
> Key: FINERACT-436
> URL: https://issues.apache.org/jira/browse/FINERACT-436
> Project: Apache Fineract
> Issue Type: Bug
> Components: Accounting, Organization
> Reporter: Thisura
> Assignee: Markus Geiss
>
> There are multiple security vulnerabilities found in fineract-provider as described in [this report \[1\]|https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4]
> There are four types of vulnerabilities related to using public mutable and nonconstant fields.
> 1. Mutable fields should not be "public static"
> * MITRE, CWE-582 - Array Declared Public, Final, and Static
> * MITRE, CWE-607 - Public Static Final Field References Mutable Object
> 2. "static final" arrays should be "private"
> * MITRE, CWE-582 - Array Declared Public, Final, and Static
> * MITRE, CWE-607 - Public Static Final Field References Mutable Object
> 3. "public static" fields should be constant
> * MITRE, CWE-500 - Public Static Field Not Marked Final
> * CERT OBJ10-J - Do not use public static nonfinal variable
> 4. "enum" fields should not be publicly mutable
> The reported incident of type 2 is considered to be false positive. 1,3,4 types are present as described in the [report\[1\]|https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4]
> The proposed [solutions\[2\]|https://drive.google.com/open?id=1TdwwHM2K1gMb6qILEX7gmzU8dVXcHGBdh569aFJfB2U] are as follows.(Solutions are respective to each vulnerability type above)
> 1. Mutable fields should not be "public static" => Make the respective members protected. If they are in a class move them to a separate class and lower the visibility.
> 2. "static final" arrays should be "private" => Make the arrays private
> 3. "public static" fields should be constant => Make the respective field final
> 4. "enum" fields should not be publicly mutable => Lower the visibility of the setter. Remove it altogether.
> \[1\] https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4
> \[2\] https://drive.google.com/open?id=1TdwwHM2K1gMb6qILEX7gmzU8dVXcHGBdh569aFJfB2U
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)