Java Security Vulnerabilities and Language Overview

Java Language Vulnerabilities

What is Java?

Originally released in May 1995, Java is the most popular programming language in the world with over 95% of all enterprise desktops running on Java. Jave is designed to let developers “write once, run anywhere” (WORA), meaning that code written in Java is able to run on all platforms with Java support with no need for further recompilation.

 

Java is a concurrent, class-based, object-oriented general-purpose programming language that is celebrated for being fast, secure and reliable and can be found everywhere from the most popular websites to mobile devices and from gaming consoles to enterprise data centers and beyond. Licensed under the GNU General Public License, Java is free to download.

Java Mascot

The Java mascot Duke who was created by Joe Palrang who was involved in the animation of Shrek

Java is influenced by numerous programming languages including C++, C#, Eiffel, Mesa, Modula-3, Objective-C and others and played an important role in the development many popular programming languages such as Groovy, Hack, Haxe, Kotlin, PHP, Python, Scala and others. Worldwide, there are over 9 million Java developers which, if they all banded together and formed a country, would be the 95th largest country by population in the world, or, if they created a city, it would be tied for the 20th largest in the world.

 

 

 

Why Was Java Initially Created?

In the early 1990s, extending the power of networking computing to everyday life was considered a radical vision and a group of Sun Microsystem engineers, known as the “Green Team,” led by James Gosling, sought to realize this vision by ushering in the next wave in computing through the union of consumer devices and computers with the creation of Java. This team of Sun engineers was slightly ahead of their time as their initial focus of their efforts on interactive television and this project’s language was originally called Oak, after the tree outside of Gosling’s office, prior to its renaming to Java after Java coffee.

James Gosling, the creator of Java

James Gosling, the creator of Java

While Java was ahead of the curve when it came to interactive television, it emerged at the same time as the internet was beginning to take off and was a perfect match for this emerging technology. In 1995 it was announced that the Netscape Navigator internet browser would incorporate Java technology and since then major web browsers have incorporated the ability to run Java applets.  

 

As with most coding languages, the development of Java was guided by a number of principals which influenced Java’s creation and continued development:

 

  • It must be “simple, object-oriented, and familiar”.
  • It must be “robust and secure”.
  • It must be “architecture-neutral and portable”.
  • It must execute with “high performance”.
  • It must be “interpreted, threaded, and dynamic”.

 

Major Java Frameworks and their Security Threats:

 

Struts

Struts is a free,action-based open-source, Model–view–controller (MVC) framework used to develop Java EE web applications. Released in May 2000, Struts was written by Craig McClanahan and donated to the Apache Foundation, the main goal behind Struts is the separation of the model (application logic that interacts with a database) from the view (HTML pages presented to the client) and the controller (instance that passes information between view and model).

 

A major security concern facing applications built using Struts is remote code execution. In 2010, Struts2, a popular Struts framework was downloaded over 1 million times in 2010 by over 18,000 organizations and included a unique class of weakness which allowed

Malicious parties to execute arbitrary code on any Struts2 web application.

 

Spring MVC

Spring MVC is a Spring application framework written by Spring developers as a response to what they saw as design flaws in other popular frameworks such as insufficient separation between the presentation and request handling layers, and between the request handling layer and the model. Like Struts, Spring MVC is also an action-based framework. In 2011, Spring MVC, along with Struts, was considered one of the most downloaded vulnerable libraries due to CVE-2012-3451, this version had been downloaded over 18 million times between 2011-2012 by over 43,000 organizations

  

 

Google Web Toolkit (GWT)

As an open source set of tools which allow developers to create and maintain complex JavaScript front-end apps in Java, Google Web Toolkit (GWT) is free and used by both Google and thousands of developers across the globe. GWT was designed to enable the productive development high-performance web applications without the coder needing to have an advanced knowledge of browser quirks, XMLHttpRequest, and JavaScript. Due to the fact that GWT produces JavaScript code, GWT applications need to be secured against all threats facing JavaScript applications.

 

Hibernate

Hibernate ORM, known as simply Hibernate, is an object-relational mapping framework for the Java language. Designed for mapping Java classes to database tables and mapping from Java data types to SQL data types. Applications containing Hibernate can be threatened by SQL injections if if SQL, or HQL, queries are generated by concatenating strings. One way to protect against these is by using named parameters in any SQL or HQL.

OWASP ESAPI

OWASP ESAPI, the OWASP Enterprise Security API, is a free, open source, web application security control library which makes it simpler for developers to write lower-risk applications while the ESAPI libraries are designed to make it easier for programmers to retroactively add security into existing applications.

Java Server Faces (JSF)

Formalized as a standard through the Java Community Process, Java Server Faces (JSF) is a Java specification for building component-based user interfaces for web applications. According to OWASP “JSF does not implement its own security model but instead relies on standard JEE security. This means that both application server security model, JAAS or other ACL implementations can be used with the JSF framework without any integration effort.” A security concern for applications which implement JSF is Access Control and Authorization issues.

 

JSP

JavaServer Pages (JSP) is built on top of Servlet API and allows for the embedding of Java code which is compiled and then executed when a request is received. A common threat to JSP code is cross-site scripting (XSS).

 

Java Security Vulnerabilities

While the Java platform includes numerous features designed to improve the security of Java applications, it’s critical for developers to ensure that their Java code is vulnerability free at the earliest stages of the software development life cycle. Avoiding Java security mistakes such as not restricting access to classes and variables, not finalizing classes, relying on package scoop and others is the best place to start when securing Java code, it’s also important for developers to familiarize themselves with the common security threats facing Java code, as well as Java frameworks. For more information on securing Java code during development, read 9 Security mistakes every Java Developer must avoid here.

 

High-Risk Java Security Vulnerabilities:

With over 95% of all enterprise desktops in the world running Java, there are serious consequences when vulnerabilities in Java code make it to production and are exploited by malicious parties. The following is a list of some of the high risk threats facing applications written in Java:

 

  • Code Injections
  • Command Injections
  • Connection String Injection
  • LDAP Injection
  • Reflected XSS
  • Resource Injection
  • Second Order SQL Injection
  • SQL Injection
  • Stored XSS
  • XPath Injection

 

Securing your Java

Checkmarx’s CxSAST, a static code analysis solution, stands out amongst Java testing solutions as not only the solution which will keep your Java code free from security and compliance issues, but also as the tool which will contribute to your organization’s advancement when it comes to application security maturity.

 

CxSAST works with the tools your developers are already using as it seamlessly integrates with most of the common development programs available at every stage of the SDLC. CxSAST’s features such as incremental code scanning and the best fix location made it ideal for any continuous integration continuous development (CICD) environment.

 

When vulnerabilities are detected in the Java code, CxSAST will not only identify the best fix location, but will also offer resources to the developer to understand how the attack vector work as well as remediation advice which will help them ensure similar mistakes are avoided in the future.

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.