Reino: Code Quality

Códigos de baixa qualidade levam a comportamentos imprevisíveis. Da perspectiva do usuário, isso normalmente se manifesta como usabilidade ruim. Para um invasor, trata-se de uma oportunidade para atacar o sistema de formas imprevistas.

Unreleased Resource: Sockets

ABAP
Java/JSP

Abstract

O programa talvez não consiga liberar um soquete.

Explanation

O programa talvez não consiga liberar um soquete.

Os vazamentos de recursos têm pelo menos duas causas comuns:

- Condições de erro e outras circunstâncias excepcionais.

- Confusão acerca de qual parte do programa é responsável pela liberação do recurso.

A maioria dos problemas de recursos não liberados resulta em problemas gerais de confiabilidade de software. No entanto, se um invasor puder provocar intencionalmente um vazamento de recursos, ele poderá iniciar um ataque de negação de serviço esgotando o pool de recursos.

Exemplo 1: O método a seguir nunca fecha o soquete que ele abre. Em um ambiente ocupado, isso pode fazer com que o sistema de tempo de execução ABAP use todos os seus soquetes.


...
    lo_client = cl_apc_tcp_client_manager=>create( i_host = host
                                                   i_port = port
                                                   i_frame = lv_frame
                                                   i_protocol = protocol
                                                   i_ssl_id = ssl_id
                                                   i_event_handler = lo_event_handler ).

    " initiate the connection setup, successful connect leads to execution of ON_OPEN
    lo_client->connect( ).

...

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 772

[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [21] CWE ID 772

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001133

[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SC-10 Network Disconnect (P2)

[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SC-10 Network Disconnect

[6] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation

[17] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 404

[18] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[40] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)

[41] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service

desc.controlflow.abap.unreleased_resource_sockets

Abstract

O programa talvez não consiga liberar um soquete.

Explanation

O programa talvez não consiga liberar um soquete.

Vazamento de recursos têm pelo menos duas causas comuns:

- Condições de erro e outras circunstâncias excepcionais.

- Confusão acerca de qual parte do programa é responsável pela liberação do recurso.

A maioria dos problemas de recursos não liberados resulta em problemas gerais de confiabilidade de software. No entanto, se um invasor puder provocar intencionalmente um vazamento de recursos, talvez ele consiga lançar um ataque de negação de serviço esgotando o pool de recursos.

Exemplo 1: O método a seguir nunca fecha o soquete que ele abre. Em um ambiente muito ativo, isso pode fazer com que a JVM use todos os seus soquetes.


private void echoSocket(String host, int port) throws UnknownHostException, SocketException, IOException
{
  Socket sock = new Socket(host, port);
  BufferedReader reader = new BufferedReader(new InputStreamReader(sock.getInputStream()));

  while ((String socketData = reader.readLine()) != null) {
    System.out.println(socketData);
  }
}

Exemplo 2: Em condições normais, a correção a seguir fecha corretamente o soquete e quaisquer fluxos associados. Porém, se ocorrer uma exceção durante a leitura da entrada ou a gravação dos dados no fluxo, o objeto de soquete não será fechado. Se isso acontecer com frequência suficiente, o sistema ficará sem soquetes e não poderá lidar com mais conexões.


private void echoSocket(String host, int port) throws UnknownHostException, SocketException, IOException
{
  Socket sock = new Socket(host, port);
  BufferedReader reader = new BufferedReader(new InputStreamReader(sock.getInputStream()));

  while ((String socketData = reader.readLine()) != null) {
    System.out.println(socketData);
  }
  sock.close();
}

References

[1] FIO04-J. Release resources when they are no longer needed CERT

[2] DOS-2: Release resources in all cases Oracle

[3] Standards Mapping - Common Weakness Enumeration CWE ID 772

[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [21] CWE ID 772

[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001133

[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SC-10 Network Disconnect (P2)

[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SC-10 Network Disconnect

[8] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation

[19] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 404

[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II

[42] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)

[43] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service

desc.controlflow.java.unreleased_resource_sockets