1. Home
  2. CWE Database
  3. CWE-589
Variant · Low-Medium

CWE-589: Call to Non-ubiquitous API

The product uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allow denial of service or other consequences...

CWE-589 · Variant Level ·3 Mitigations

Description

The product uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allow denial of service or other consequences.

Some functions that offer security features supported by the OS are not available on all versions of the OS in common use. Likewise, functions are often deprecated or made obsolete for security reasons and should not be used.

Potential Impact

Other

Quality Degradation

Mitigations & Prevention

Implementation

Always test your code on any platform on which it is targeted to run on.

Testing

Test your code on the newest and oldest platform on which it is targeted to run on.

Testing

Develop a system to test for API functions that are not portable.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

CWE-474: Use of Function with Inconsistent Implementations

The code uses a function that has inconsistent implementations across operating systems and versions.

Taxonomy Mappings

  • The CERT Oracle Secure Coding Standard for Java (2011): MET02-J — Do not use deprecated or obsolete classes or methods
  • The CERT Oracle Secure Coding Standard for Java (2011): SER00-J — Maintain serialization compatibility during class evolution
  • Software Fault Patterns: SFP3 — Use of an improper API

Frequently Asked Questions

What is CWE-589?

CWE-589 (Call to Non-ubiquitous API) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allow denial of service or other consequences...

How can CWE-589 be exploited?

Attackers can exploit CWE-589 (Call to Non-ubiquitous API) to quality degradation. This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.

How do I prevent CWE-589?

Key mitigations include: Always test your code on any platform on which it is targeted to run on.

What is the severity of CWE-589?

CWE-589 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.