CWE-111: Direct Use of Unsafe JNI

VariantDraft

When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that code, even if those weaknesses cannot occur in Java.

View on MITRE
Back to CWE Lookup

Extended Description

Many safety features that programmers may take for granted do not apply for native code, so you must carefully review all such code for potential problems. The languages used to implement native code may be more susceptible to buffer overflows and other attacks. Native code is unprotected by the security features enforced by the runtime environment, such as strong typing and array bounds checking.

Technical Details

Structure
Simple

Applicable To

Languages
Java
Platforms

Frequently Asked Questions

What is CWE-111: Direct Use of Unsafe JNI?+

CWE-111: Direct Use of Unsafe JNI is a Common Weakness Enumeration (CWE) entry maintained by MITRE. When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that code, even if those weaknesses cannot occur in Java. Many safety features that programmers may take for granted do not apply for native code, so you must carefully review all such code for potential problems. The languages used to implement native code may be more susceptible to buffer overflows and other attacks. Native code is unprotected by the security features enforced by the runtime environment, such as strong typing and array bounds checking.

What are the security consequences of Direct Use of Unsafe JNI?+

If exploited, CWE-111 (Direct Use of Unsafe JNI) it can compromise Access Control, leading to outcomes such as Bypass Protection Mechanism.

How do you prevent or mitigate Direct Use of Unsafe JNI?+

Recommended mitigations for CWE-111 include: Implement error handling around the JNI call. Do not use JNI calls if you don't trust the native library. Be reluctant to use JNI calls. A Java API equivalent may exist.

Which programming languages are affected by Direct Use of Unsafe JNI?+

CWE-111 commonly affects Java. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-111 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More