fineract-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thisura (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (FINERACT-470) Fix security vulnerabilities related to using public mutable and nonconstant fields
Date Sun, 28 May 2017 04:38:04 GMT

     [ https://issues.apache.org/jira/browse/FINERACT-470?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Thisura updated FINERACT-470:
-----------------------------
    Description: 
There are multiple security vulnerabilities found in fineract-provider as described in this
report [1]
There are four types of vulnerabilities related to using public mutable and nonconstant fields.
1. Mutable fields should not be "public static"
MITRE, CWE-582 - Array Declared Public, Final, and Static
MITRE, CWE-607 - Public Static Final Field References Mutable Object
2. "static final" arrays should be "private"
MITRE, CWE-582 - Array Declared Public, Final, and Static
MITRE, CWE-607 - Public Static Final Field References Mutable Object
3. "public static" fields should be constant
MITRE, CWE-500 - Public Static Field Not Marked Final
CERT OBJ10-J - Do not use public static nonfinal variable
4. "enum" fields should not be publicly mutable
The reported incident of type 2 is considered to be false positive. 1,3,4 types are present
as described in the report[1]
The proposed solutions[2] are as follows.(Solutions are respective to each vulnerability type
above)
1. Mutable fields should not be "public static" => Make the respective members protected.
If they are in a class move them to a separate class and lower the visibility.
2. "static final" arrays should be "private" => Make the arrays private
3. "public static" fields should be constant => Make the respective field final
4. "enum" fields should not be publicly mutable => Lower the visibility of the setter.
Remove it altogether.
[1] https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4
[2] https://drive.google.com/open?id=1TdwwHM2K1gMb6qILEX7gmzU8dVXcHGBdh569aFJfB2U

> Fix security vulnerabilities related to using public mutable and nonconstant fields
> -----------------------------------------------------------------------------------
>
>                 Key: FINERACT-470
>                 URL: https://issues.apache.org/jira/browse/FINERACT-470
>             Project: Apache Fineract
>          Issue Type: Bug
>            Reporter: Thisura
>            Assignee: Markus Geiss
>
> There are multiple security vulnerabilities found in fineract-provider as described in
this report [1]
> There are four types of vulnerabilities related to using public mutable and nonconstant
fields.
> 1. Mutable fields should not be "public static"
> MITRE, CWE-582 - Array Declared Public, Final, and Static
> MITRE, CWE-607 - Public Static Final Field References Mutable Object
> 2. "static final" arrays should be "private"
> MITRE, CWE-582 - Array Declared Public, Final, and Static
> MITRE, CWE-607 - Public Static Final Field References Mutable Object
> 3. "public static" fields should be constant
> MITRE, CWE-500 - Public Static Field Not Marked Final
> CERT OBJ10-J - Do not use public static nonfinal variable
> 4. "enum" fields should not be publicly mutable
> The reported incident of type 2 is considered to be false positive. 1,3,4 types are present
as described in the report[1]
> The proposed solutions[2] are as follows.(Solutions are respective to each vulnerability
type above)
> 1. Mutable fields should not be "public static" => Make the respective members protected.
If they are in a class move them to a separate class and lower the visibility.
> 2. "static final" arrays should be "private" => Make the arrays private
> 3. "public static" fields should be constant => Make the respective field final
> 4. "enum" fields should not be publicly mutable => Lower the visibility of the setter.
Remove it altogether.
> [1] https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4
> [2] https://drive.google.com/open?id=1TdwwHM2K1gMb6qILEX7gmzU8dVXcHGBdh569aFJfB2U



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message