Description
The product contains a finalize() method that does not call super.finalize().
The Java Language Specification states that it is a good practice for a finalize() method to call super.finalize().
Potential Impact
Other
Quality Degradation
Demonstrative Examples
protected void finalize() {discardNative();}Mitigations & Prevention
Call the super.finalize() method.
Detection Methods
- Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
Related Weaknesses
Taxonomy Mappings
- The CERT Oracle Secure Coding Standard for Java (2011): MET12-J — Do not use finalizers
- Software Fault Patterns: SFP28 — Unexpected access points
Frequently Asked Questions
What is CWE-568?
CWE-568 (finalize() Method Without super.finalize()) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product contains a finalize() method that does not call super.finalize().
How can CWE-568 be exploited?
Attackers can exploit CWE-568 (finalize() Method Without super.finalize()) to quality degradation. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-568?
Key mitigations include: Call the super.finalize() method.
What is the severity of CWE-568?
CWE-568 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.