1. Home
  2. CWE Database
  3. CWE-477
Base · Medium

CWE-477: Use of Obsolete Function

The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained.

CWE-477 · Base Level ·2 Mitigations

Description

The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained.

As programming languages evolve, functions occasionally become obsolete due to: Functions that are removed are usually replaced by newer counterparts that perform the same task in some different and hopefully improved way.

Potential Impact

Other

Quality Degradation

Demonstrative Examples

The following code uses the deprecated function getpw() to verify that a plaintext password matches a user's encrypted password. If the password is valid, the function sets result to 1; otherwise it is set to 0.
Bad
...getpw(uid, pwdline);for (i=0; i<3; i++){cryptpw=strtok(pwdline, ":");pwdline=0;}result = strcmp(crypt(plainpw,cryptpw), cryptpw) == 0;...
Although the code often behaves correctly, using the getpw() function can be problematic from a security standpoint, because it can overflow the buffer passed to its second parameter. Because of this vulnerability, getpw() has been supplanted by getpwuid(), which performs the same lookup as getpw() but returns a pointer to a statically-allocated structure to mitigate the risk. Not all functions are deprecated or replaced because they pose a security risk. However, the presence of an obsolete function often indicates that the surrounding code has been neglected and may be in a state of disrepair. Software security has not been a priority, or even a consideration, for very long. If the program uses deprecated or obsolete functions, it raises the probability that there are security problems lurking nearby.
In the following code, the programmer assumes that the system always has a property named "cmd" defined. If an attacker can control the program's environment so that "cmd" is not defined, the program throws a null pointer exception when it attempts to call the "Trim()" method.
Bad
String cmd = null;...cmd = Environment.GetEnvironmentVariable("cmd");cmd = cmd.Trim();
The following code constructs a string object from an array of bytes and a value that specifies the top 8 bits of each 16-bit Unicode character.
Bad
...String name = new String(nameBytes, highByte);...
In this example, the constructor may not correctly convert bytes to characters depending upon which charset is used to encode the string represented by nameBytes. Due to the evolution of the charsets used to encode strings, this constructor was deprecated and replaced by a constructor that accepts as one of its parameters the name of the charset used to encode the bytes for conversion.

Mitigations & Prevention

Implementation

Refer to the documentation for the obsolete function in order to determine why it is deprecated or obsolete and to learn about alternative ways to achieve the same functionality.

Requirements

Consider seriously the security implications of using an obsolete function. Consider using alternate functions.

Detection Methods

  • Automated Static Analysis - Binary or Bytecode High — According to SOAR [REF-1479], the following detection techniques may be useful:
  • Manual Static Analysis - Binary or Bytecode SOAR Partial — According to SOAR [REF-1479], the following detection techniques may be useful:
  • Dynamic Analysis with Manual Results Interpretation High — According to SOAR [REF-1479], the following detection techniques may be useful:
  • Manual Static Analysis - Source Code High — According to SOAR [REF-1479], the following detection techniques may be useful:
  • Automated Static Analysis - Source Code High — According to SOAR [REF-1479], the following detection techniques may be useful:
  • Automated Static Analysis High — According to SOAR [REF-1479], the following detection techniques may be useful:

CWE-710: Improper Adherence to Coding Standards

The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the...

Taxonomy Mappings

  • 7 Pernicious Kingdoms: — Obsolete
  • Software Fault Patterns: SFP3 — Use of an improper API
  • SEI CERT Perl Coding Standard: DCL30-PL — Do not import deprecated modules
  • SEI CERT Perl Coding Standard: EXP30-PL — Do not use deprecated or obsolete functions or modules

Frequently Asked Questions

What is CWE-477?

CWE-477 (Use of Obsolete Function) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained.

How can CWE-477 be exploited?

Attackers can exploit CWE-477 (Use of Obsolete Function) to quality degradation. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-477?

Key mitigations include: Refer to the documentation for the obsolete function in order to determine why it is deprecated or obsolete and to learn about alternative ways to achieve the same functionality.

What is the severity of CWE-477?

CWE-477 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.