Missing Report of Error Condition
Draft Base
Structure: Simple
Description
The product encounters an error but does not provide a status code or return value to indicate that an error has occurred.
Common Consequences 1
Scope: IntegrityOther
Impact: Varies by ContextUnexpected State
Errors that are not properly reported could place the system in an unexpected state that could lead to unintended behaviors.
Demonstrative Examples 1
ID : DX-185
In the following snippet from a doPost() servlet method, the server returns "200 OK" (default) even if an error occurs.Code Example:
Bad
Java
java// Something that may throw an exception.* ...} catch (Throwable t) { ``` logger.error("Caught: " + t.toString()); return; }
Observed Examples 5
[REF-1374]Chain: JavaScript-based cryptocurrency library can fall back to the insecure Math.random() function instead of reporting a failure (Missing Report of Error Condition), thus reducing the entropy (Insufficient Entropy in PRNG) and leading to generation of non-unique cryptographic keys for Bitcoin wallets (Use of Weak Credentials)
CVE-2004-0063Function returns "OK" even if another function returns a different status code than expected, leading to accepting an invalid PIN number.
CVE-2002-1446Error checking routine in PKCS#11 library returns "OK" status even when invalid signature is detected, allowing spoofed messages.
CVE-2002-0499Kernel function truncates long pathnames without generating an error, leading to operation on wrong directory.
CVE-2005-2459Function returns non-error value when a particular erroneous condition is encountered, leading to resultant NULL dereference.
References 1
Randstorm: You Can't Patch a House of Cards
Unciphered
14-11-2023
ID: REF-1374
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Implementation
Related Weaknesses
Taxonomy Mapping
- PLOVER
- The CERT Oracle Secure Coding Standard for Java (2011)
- Software Fault Patterns