Uploaded image for project: 'Apache Fineract'
  1. Apache Fineract
  2. FINERACT-470

Fix security vulnerabilities related to using public mutable and nonconstant fields

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 1.1.0
    • System

    Description

      There are multiple security vulnerabilities found in fineract-provider as described in this report [1]
      There are four types of vulnerabilities related to using public mutable and nonconstant fields.
      1. Mutable fields should not be "public static"

      • MITRE, CWE-582 - Array Declared Public, Final, and Static
      • MITRE, CWE-607 - Public Static Final Field References Mutable Object
        2. "static final" arrays should be "private"
      • MITRE, CWE-582 - Array Declared Public, Final, and Static
      • MITRE, CWE-607 - Public Static Final Field References Mutable Object
        3. "public static" fields should be constant
      • MITRE, CWE-500 - Public Static Field Not Marked Final
      • CERT OBJ10-J - Do not use public static nonfinal variable
        4. "enum" fields should not be publicly mutable

      The reported incident of type 2 is considered to be false positive. 1,3,4 types are present as described in the report[1]
      The proposed solutions[2] are as follows.(Solutions are respective to each vulnerability type above)

      1. Mutable fields should not be "public static" => Make the respective members protected. If they are in a class move them to a separate class and lower the visibility.
      2. "static final" arrays should be "private" => Make the arrays private
      3. "public static" fields should be constant => Make the respective field final
      4. "enum" fields should not be publicly mutable => Lower the visibility of the setter. Remove it altogether.

      Some of the issues were fixed in FINERACT-436 [3]. The rest should be covered in this ticket.

      [1] https://drive.google.com/open?id=1uLk3YPcjnXk7RqF8etsTzIuN59CDU6sgBxpZul__1V4
      [2] https://drive.google.com/open?id=1TdwwHM2K1gMb6qILEX7gmzU8dVXcHGBdh569aFJfB2U
      [3] https://github.com/apache/fineract/pull/343

      Attachments

        Activity

          People

            santoshmath Santosh Math
            thisura Thisura
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: