|
|
|
|
CWE-8 Individual Dictionary Definition (Draft 9)
Weakness ID
| Status: Incomplete 8 (Weakness Variant) | | Description | Summary When an application exposes a remote interface for an entity bean, it might also expose
methods that get or set the bean's data. These methods could be leveraged to read sensitive
information, or to change data in ways that violate the application's expectations, potentially
leading to other vulnerabilities. | | Potential Mitigations | Declare Java beans "local" when possible. When a bean must be remotely accessible,
make sure that sensitive information is not exposed, and ensure that your application logic
performs appropriate validation of any data that might be modified by an
attacker. | Demonstrative
Examples | <ejb-jar>
<enterprise-beans>
<entity>
<ejb-name>EmployeeRecord</ejb-name>
<home>com.wombat.empl.EmployeeRecordHome</home>
<remote>com.wombat.empl.EmployeeRecord</remote>
...
</entity>
...
</enterprise-beans>
</ejb-jar> | | Context Notes | Entity beans that expose a remote interface become part of an application's attack
surface. For performance reasons, an application should rarely use remote entity beans, so there
is a good chance that a remote entity bean declaration is an error. | | Relationships | | | Source Taxonomies | 7 Pernicious Kingdoms - J2EE Misconfiguration: Unsafe Bean Declaration |
|
- Weakness
- Base
- Variant
- Class
- Chain
- Composite
- Category
- View
- Deprecated
