Missing Handler

Draft Base

Structure: Simple

Description

A handler is not available or implemented.

Extended Description

When an exception is thrown and not caught, the process has given up an opportunity to decide if a given failure or event is worth a change in execution.

Common Consequences 1

Scope: Other

Impact: Varies by Context

Potential Mitigations 2

Phase: Implementation

Handle all possible situations (e.g. error condition).

Phase: Implementation

If an operation can throw an Exception, implement a handler for that specific exception.

Demonstrative Examples 1

If a Servlet does not catch all exceptions, it may reveal debugging information that will help an adversary form a plan of attack. In the following method a DNS lookup failure will cause the Servlet to throw an exception.

Code Example:Bad
Java
java

When a Servlet throws an exception, the default error response the Servlet container sends back to the user typically includes debugging information. This information is of great value to an attacker.

Observed Examples 1

CVE-2022-25302SDK for OPC Unified Architecture (OPC UA) is missing a handler for when a cast fails, allowing for a crash

References 1

The Art of Software Security Assessment

Mark Dowd, John McDonald, and Justin Schuh

Addison Wesley

2006

ID: REF-62

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Modes of Introduction

Implementation

Related Weaknesses

ChildOf:

Insufficient Control Flow Management (CWE-691)

CanPrecede:

Unparsed Raw Web Content Delivery (CWE-433)

Taxonomy Mapping

PLOVER
Software Fault Patterns