Uploaded image for project: 'Apache Fineract'
  1. Apache Fineract
  2. FINERACT-436

Fix security vulnerabilities related to using public mutable and nonconstant fields

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.0.0
    • Component/s: Accounting, Organization
    • Labels:
      None

      Description

      There are multiple security vulnerabilities found in fineract-provider as described in this report [1]

      There are four types of vulnerabilities related to using public mutable and nonconstant fields.

      1. Mutable fields should not be "public static"

      • MITRE, CWE-582 - Array Declared Public, Final, and Static
      • MITRE, CWE-607 - Public Static Final Field References Mutable Object

      2. "static final" arrays should be "private"

      • MITRE, CWE-582 - Array Declared Public, Final, and Static
      • MITRE, CWE-607 - Public Static Final Field References Mutable Object

      3. "public static" fields should be constant

      • MITRE, CWE-500 - Public Static Field Not Marked Final
      • CERT OBJ10-J - Do not use public static nonfinal variable

      4. "enum" fields should not be publicly mutable

      The reported incident of type 2 is considered to be false positive. 1,3,4 types are present as described in the report[1]

      The proposed solutions[2] are as follows.(Solutions are respective to each vulnerability type above)
      1. Mutable fields should not be "public static" => Make the respective members protected. If they are in a class move them to a separate class and lower the visibility.

      2. "static final" arrays should be "private" => Make the arrays private
      3. "public static" fields should be constant => Make the respective field final
      4. "enum" fields should not be publicly mutable => Lower the visibility of the setter. Remove it altogether.

      [1] https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4
      [2] https://drive.google.com/open?id=1TdwwHM2K1gMb6qILEX7gmzU8dVXcHGBdh569aFJfB2U

        Attachments

          Activity

            People

            • Assignee:
              santoshmath Santosh Math
              Reporter:
              thisura Thisura
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: