Is there a way to configure the JVM to block instances of a class being created?
I’d like to do this to ensure no service running in the JVM is allowed to create instances of a class that has been identified as a security risk in a CVE, lets call that class BadClass
.
NOTE: I’m looking for a general solution, so the following is purely additional information. I would normally address this by switching the library out, or upgrading it to a version that doesn’t have the exploit, but it’s part of a larger library that wont be addressing the issue for some time. So I’m not even using BadClass
anywhere, but want to completely block it.
Advertisement
Answer
I do not know a JVM parameter, but here’s some alternatives that might pout you in a position that solve your requirements:
You can write a CustomClassLoader that gives you fine control on what to do. Normal use cases would be plugin loading etc. In your case this is more security governance on devops level.
If you have a CICD pipeline with integration tests you could also start the JVM with
-verbose:class
parameter and see which classes are loaded when running your tests. Seem a bit hacky, but maybe suits your use case. Just throwing everything into the game, it’s up to you judging about the best fit.Depending on your build system (Maven?) you could restrict building applications just on your private cached libs. So you should have full control on it and put a library – review layer in between. This would also share responsibility between devs and the repository admins.