The CERT Oracle Secure Coding Standard for Java (2011) Chapter 8 - Exceptional Behavior (ERR)

A category in the Common Weakness Enumeration published by The MITRE Corporation.


Summary

Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.

Weaknesses in this category are related to rules in the Exceptional Behavior (ERR) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Weaknesses

Declaration of Throws for Generic Exception

Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.

Detection of Error Condition Without Action

The software detects a specific error, but takes no actions to handle the error.

Exposure of Sensitive System Information to an Unauthorized Control Sphere

The application does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the...

Generation of Error Message Containing Sensitive Information

The software generates an error message that includes sensitive information about its environment, users, or associated data.

Improper Check or Handling of Exceptional Conditions

The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software.

Improper Cleanup on Thrown Exception

The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow.

Improper Handling of Missing Values

The software does not handle or incorrectly handles when a parameter, field, or argument name is specified, but the associated value is missing, i.e. it is empty, blan...

Improper Handling of Undefined Values

The software does not handle or incorrectly handles when a value is not defined or supported for the associated parameter, field, or argument name.

Incorrect Control Flow Scoping

The software does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.

J2EE Bad Practices: Use of System.exit()

A J2EE application uses System.exit(), which also shuts down its container.

Return Inside Finally Block

The code has a return statement inside a finally block, which will cause any thrown exception in the try block to be discarded.

Uncaught Exception

An exception is thrown from a function, but it is not caught.

Uncaught Exception in Servlet

The Servlet does not catch all exceptions, which may reveal sensitive debugging information.

Unchecked Return Value to NULL Pointer Dereference

The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer der...

Use of NullPointerException Catch to Detect NULL Pointer Dereference

Catching NullPointerException should not be used as an alternative to programmatic checks to prevent dereferencing a null pointer.

Concepts

Deprecated or Obsolete

Weaknesses Addressed by The CERT Oracle Secure Coding Standard for Java (2011)

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" pu...


Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.