CWE-111: Direct Use of Unsafe JNI
When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that code, even if those weaknesses cannot occur in Java.
Last updated
Overview
Many safety features that programmers may take for granted do not apply for native code, so you must carefully review all such code for potential problems. The languages used to implement native code may be more susceptible to buffer overflows and other attacks. Native code is unprotected by the security features enforced by the runtime environment, such as strong typing and array bounds checking.
Real-world CVEs
2 recorded CVEs are caused by CWE-111 (Direct Use of Unsafe JNI). The highest-severity and most recent are shown first.
Common consequences
What can happen when CWE-111 is exploited.
Bypass Protection Mechanism
Affects: Access Control
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Languages
How to prevent it
Practical mitigations for CWE-111, grouped by where in the lifecycle they apply.
Implement error handling around the JNI call.
Do not use JNI calls if you don't trust the native library.
Be reluctant to use JNI calls. A Java API equivalent may exist.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
The following code defines a class named Echo. The class declares one native method (defined below), which uses C to echo commands entered on the console back to the user. The following C code defines the native method implemented in the Echo class:
Vulnerable example
class Echo {Vulnerable example
#include <jni.h>Terminology & mappings
Mapped taxonomies
- 7 Pernicious Kingdoms: Unsafe JNI
- The CERT Oracle Secure Coding Standard for Java (2011): Define wrappers around native methods (SEC08-J)
- SEI CERT Oracle Coding Standard for Java: Safely invoke standard APIs that perform tasks using the immediate caller's class loader instance (loadLibrary) (JNI01-J)
- SEI CERT Oracle Coding Standard for Java: Define wrappers around native methods (JNI00-J) — Imprecise fit
- Software Fault Patterns: Use of an improper API (SFP3)
Frequently asked questions
Common questions about CWE-111.
What is CWE-111?
When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that code, even if those weaknesses cannot occur in Java.
What CVEs are caused by CWE-111?
2 recorded CVEs are attributed to CWE-111, including CVE-2018-12549, CVE-2016-9160.
How do you prevent CWE-111?
Implement error handling around the JNI call.
How is CWE-111 detected?
Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
What are the consequences of CWE-111?
Exploiting CWE-111 can lead to: Bypass Protection Mechanism.
Is CWE-111 actively exploited?
2 recorded CVEs are caused by CWE-111; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-111) (opens in a new tab)
- CWE-111 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-111
Get alerted the moment a new CWE-111 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.