Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-392:Missing Report of Error Condition
Weakness ID:392
Version:v4.17
Weakness Name:Missing Report of Error Condition
Vulnerability Mapping:Allowed
Abstraction:Base
Structure:Simple
Status:Draft
Likelihood of Exploit:
DetailsContent HistoryObserved CVE ExamplesReports
▼Description

The product encounters an error but does not provide a status code or return value to indicate that an error has occurred.

▼Extended Description

▼Alternate Terms
▼Relationships
Relevant to the view"Research Concepts - (1000)"
NatureMappingTypeIDName
ChildOfDiscouragedC755Improper Handling of Exceptional Conditions
ChildOfAllowed-with-ReviewC684Incorrect Provision of Specified Functionality
ParentOfAllowedB1429Missing Security-Relevant Feedback for Unexecuted Operations in Hardware Interface
Nature: ChildOf
Mapping: Discouraged
Type: Class
ID: 755
Name: Improper Handling of Exceptional Conditions
Nature: ChildOf
Mapping: Allowed-with-Review
Type: Class
ID: 684
Name: Incorrect Provision of Specified Functionality
Nature: ParentOf
Mapping: Allowed
Type: Base
ID: 1429
Name: Missing Security-Relevant Feedback for Unexecuted Operations in Hardware Interface
▼Memberships
NatureMappingTypeIDName
MemberOfProhibitedC389Error Conditions, Return Values, Status Codes
MemberOfProhibitedC855The CERT Oracle Secure Coding Standard for Java (2011) Chapter 12 - Thread Pools (TPS)
MemberOfProhibitedV884CWE Cross-section
MemberOfProhibitedC961SFP Secondary Cluster: Incorrect Exception Behavior
MemberOfProhibitedC1012Cross Cutting
MemberOfProhibitedC1145SEI CERT Oracle Secure Coding Standard for Java - Guidelines 11. Thread Pools (TPS)
MemberOfProhibitedC1412Comprehensive Categorization: Poor Coding Practices
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 389
Name: Error Conditions, Return Values, Status Codes
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 855
Name: The CERT Oracle Secure Coding Standard for Java (2011) Chapter 12 - Thread Pools (TPS)
Nature: MemberOf
Mapping: Prohibited
Type:View
ID: 884
Name: CWE Cross-section
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 961
Name: SFP Secondary Cluster: Incorrect Exception Behavior
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1012
Name: Cross Cutting
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1145
Name: SEI CERT Oracle Secure Coding Standard for Java - Guidelines 11. Thread Pools (TPS)
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1412
Name: Comprehensive Categorization: Poor Coding Practices
▼Tags
NatureMappingTypeIDName
MemberOfProhibitedBSBOSS-294Not Language-Specific Weaknesses
MemberOfProhibitedBSBOSS-315Unexpected State (impact)
MemberOfProhibitedBSBOSS-326Varies by Context (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-294
Name: Not Language-Specific Weaknesses
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-315
Name: Unexpected State (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-326
Name: Varies by Context (impact)
▼Relevant To View
Relevant to the view"Architectural Concepts - (1008)"
NatureMappingTypeIDName
MemberOfProhibitedC1012Cross Cutting
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1012
Name: Cross Cutting
Relevant to the view"Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java - (1133)"
NatureMappingTypeIDName
MemberOfProhibitedC1145SEI CERT Oracle Secure Coding Standard for Java - Guidelines 11. Thread Pools (TPS)
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1145
Name: SEI CERT Oracle Secure Coding Standard for Java - Guidelines 11. Thread Pools (TPS)
Relevant to the view"Software Development - (699)"
NatureMappingTypeIDName
MemberOfProhibitedC389Error Conditions, Return Values, Status Codes
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 389
Name: Error Conditions, Return Values, Status Codes
Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"
NatureMappingTypeIDName
MemberOfProhibitedC961SFP Secondary Cluster: Incorrect Exception Behavior
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 961
Name: SFP Secondary Cluster: Incorrect Exception Behavior
▼Background Detail

▼Common Consequences
ScopeLikelihoodImpactNote
IntegrityOtherN/AVaries by ContextUnexpected State

Errors that are not properly reported could place the system in an unexpected state that could lead to unintended behaviors.

Scope: Integrity, Other
Likelihood: N/A
Impact: Varies by Context, Unexpected State
Note:

Errors that are not properly reported could place the system in an unexpected state that could lead to unintended behaviors.

▼Potential Mitigations
▼Modes Of Introduction
Phase: Implementation
Note:

N/A

▼Applicable Platforms
Languages
Class: Not Language-Specific(Undetermined Prevalence)
▼Demonstrative Examples
Example 1

In the following snippet from a doPost() servlet method, the server returns "200 OK" (default) even if an error occurs.

Language: ( code)
N/A

Language: Java(Bad code)
try { // Something that may throw an exception.* ...} catch (Throwable t) { logger.error("Caught: " + t.toString()); return; }

▼Observed Examples
ReferenceDescription
[REF-1374]
Chain: JavaScript-based cryptocurrency library can fall back to the insecure Math.random() function instead of reporting a failure (CWE-392), thus reducing the entropy (CWE-332) and leading to generation of non-unique cryptographic keys for Bitcoin wallets (CWE-1391)
CVE-2004-0063
Function returns "OK" even if another function returns a different status code than expected, leading to accepting an invalid PIN number.
CVE-2002-1446
Error checking routine in PKCS#11 library returns "OK" status even when invalid signature is detected, allowing spoofed messages.
CVE-2002-0499
Kernel function truncates long pathnames without generating an error, leading to operation on wrong directory.
CVE-2005-2459
Function returns non-error value when a particular erroneous condition is encountered, leading to resultant NULL dereference.
Reference: [REF-1374]
Description:
Chain: JavaScript-based cryptocurrency library can fall back to the insecure Math.random() function instead of reporting a failure (CWE-392), thus reducing the entropy (CWE-332) and leading to generation of non-unique cryptographic keys for Bitcoin wallets (CWE-1391)
Reference: CVE-2004-0063
Description:
Function returns "OK" even if another function returns a different status code than expected, leading to accepting an invalid PIN number.
Reference: CVE-2002-1446
Description:
Error checking routine in PKCS#11 library returns "OK" status even when invalid signature is detected, allowing spoofed messages.
Reference: CVE-2002-0499
Description:
Kernel function truncates long pathnames without generating an error, leading to operation on wrong directory.
Reference: CVE-2005-2459
Description:
Function returns non-error value when a particular erroneous condition is encountered, leading to resultant NULL dereference.
▼Affected Resources
    ▼Functional Areas
      ▼Weakness Ordinalities
      OrdinalityDescription
      Primary
      N/A
      Resultant
      N/A
      Ordinality: Primary
      Description:
      N/A
      Ordinality: Resultant
      Description:
      N/A
      ▼Detection Methods
      ▼Vulnerability Mapping Notes
      Usage:Allowed
      Reason:Acceptable-Use
      Rationale:

      This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

      Comments:

      Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

      Suggestions:
      ▼Notes
      ▼Taxonomy Mappings
      Taxonomy NameEntry IDFitEntry Name
      PLOVERN/AN/AMissing Error Status Code
      The CERT Oracle Secure Coding Standard for Java (2011)TPS03-JN/AEnsure that tasks executing in a thread pool do not fail silently
      Software Fault PatternsSFP6N/AIncorrect Exception Behavior
      Taxonomy Name: PLOVER
      Entry ID: N/A
      Fit: N/A
      Entry Name: Missing Error Status Code
      Taxonomy Name: The CERT Oracle Secure Coding Standard for Java (2011)
      Entry ID: TPS03-J
      Fit: N/A
      Entry Name: Ensure that tasks executing in a thread pool do not fail silently
      Taxonomy Name: Software Fault Patterns
      Entry ID: SFP6
      Fit: N/A
      Entry Name: Incorrect Exception Behavior
      ▼Related Attack Patterns
      IDName
      ▼References
      Reference ID: REF-1374
      Title: Randstorm: You Can't Patch a House of Cards
      Author: Unciphered
      Section:
      Publication:
      Publisher:
      Edition:
      URL:https://www.unciphered.com/blog/randstorm-you-cant-patch-a-house-of-cards
      URL Date:2023-11-15
      Day:14
      Month:11
      Year:2023
      Details not found