CWE-498: Cloneable Class Containing Sensitive Information

Description

The code contains a class with sensitive data, but the class is cloneable. The data can then be accessed by cloning the class.

Cloneable classes are effectively open classes, since data cannot be hidden in them. Classes that do not explicitly deny cloning can be cloned by any other class without running the constructor.

Potential Impact

Access Control

Bypass Protection Mechanism

Demonstrative Examples

The following example demonstrates the weakness.

Bad

public class CloneClient {
                        public CloneClient() //throwsjava.lang.CloneNotSupportedException {
                              
                                 Teacher t1 = new Teacher("guddu","22,nagar road");//...// Do some stuff to remove the teacher.Teacher t2 = (Teacher)t1.clone();System.out.println(t2.name);
                           }public static void main(String args[]) {
                              
                                 new CloneClient();
                           }
                     }class Teacher implements Cloneable {
                        
                           public Object clone() {
                              
                                 try {return super.clone();}catch (java.lang.CloneNotSupportedException e) {
                                    
                                       throw new RuntimeException(e.toString());
                                 }
                           }public String name;public String clas;public Teacher(String name,String clas) {
                              
                                 this.name = name;this.clas = clas;
                           }
                     }

Make classes uncloneable by defining a clone function like:

Good

public final void clone() throws java.lang.CloneNotSupportedException {throw new java.lang.CloneNotSupportedException();}

Mitigations & Prevention

Implementation

If you do make your classes clonable, ensure that your clone method is final and throw super.clone().

Detection Methods

Automated Static Analysis — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Taxonomy Mappings

CLASP: — Information leak through class cloning
The CERT Oracle Secure Coding Standard for Java (2011): OBJ07-J — Sensitive classes must not let themselves be copied
Software Fault Patterns: SFP23 — Exposed Data

Frequently Asked Questions

What is CWE-498?

CWE-498 (Cloneable Class Containing Sensitive Information) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The code contains a class with sensitive data, but the class is cloneable. The data can then be accessed by cloning the class.

How can CWE-498 be exploited?

Attackers can exploit CWE-498 (Cloneable Class Containing Sensitive Information) to bypass protection mechanism. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-498?

Key mitigations include: If you do make your classes clonable, ensure that your clone method is final and throw super.clone().

What is the severity of CWE-498?

CWE-498 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.