Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-8:J2EE Misconfiguration: Entity Bean Declared Remote
Weakness ID:8
Version:v4.17
Weakness Name:J2EE Misconfiguration: Entity Bean Declared Remote
Vulnerability Mapping:Allowed
Abstraction:Variant
Structure:Simple
Status:Incomplete
Likelihood of Exploit:
DetailsContent HistoryObserved CVE ExamplesReports
▼Description

When an application exposes a remote interface for an entity bean, it might also expose methods that get or set the bean's data. These methods could be leveraged to read sensitive information, or to change data in ways that violate the application's expectations, potentially leading to other vulnerabilities.

▼Extended Description

▼Alternate Terms
▼Relationships
Relevant to the view"Research Concepts - (1000)"
NatureMappingTypeIDName
ChildOfDiscouragedC668Exposure of Resource to Wrong Sphere
Nature: ChildOf
Mapping: Discouraged
Type: Class
ID: 668
Name: Exposure of Resource to Wrong Sphere
▼Memberships
NatureMappingTypeIDName
MemberOfProhibitedC27PK - Environment
MemberOfProhibitedC731OWASP Top Ten 2004 Category A10 - Insecure Configuration Management
MemberOfProhibitedC963SFP Secondary Cluster: Exposed Data
MemberOfProhibitedC1403Comprehensive Categorization: Exposed Resource
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 2
Name: 7PK - Environment
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 731
Name: OWASP Top Ten 2004 Category A10 - Insecure Configuration Management
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 963
Name: SFP Secondary Cluster: Exposed Data
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1403
Name: Comprehensive Categorization: Exposed Resource
▼Tags
NatureMappingTypeIDName
MemberOfProhibitedBSBOSS-318Modify Application Data (impact)
MemberOfProhibitedBSBOSS-328Read Application Data (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-318
Name: Modify Application Data (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-328
Name: Read Application Data (impact)
▼Relevant To View
Relevant to the view"Seven Pernicious Kingdoms - (700)"
NatureMappingTypeIDName
MemberOfProhibitedC27PK - Environment
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 2
Name: 7PK - Environment
Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"
NatureMappingTypeIDName
MemberOfProhibitedC963SFP Secondary Cluster: Exposed Data
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 963
Name: SFP Secondary Cluster: Exposed Data
▼Background Detail

▼Common Consequences
ScopeLikelihoodImpactNote
ConfidentialityIntegrityN/ARead Application DataModify Application Data
N/A
Scope: Confidentiality, Integrity
Likelihood: N/A
Impact: Read Application Data, Modify Application Data
Note:
N/A
▼Potential Mitigations
Phase:Implementation
Mitigation ID:
Strategy:
Effectiveness:
Description:

Declare Java beans "local" when possible. When a bean must be remotely accessible, make sure that sensitive information is not exposed, and ensure that the application logic performs appropriate validation of any data that might be modified by an attacker.

Note:

▼Modes Of Introduction
Phase: Architecture and Design
Note:

N/A

Phase: Implementation
Note:

N/A

▼Applicable Platforms
▼Demonstrative Examples
Example 1

The following example demonstrates the weakness.

Language: ( code)
N/A

Language: XML(Bad code)
<ejb-jar> <enterprise-beans> <entity> <ejb-name>EmployeeRecord</ejb-name> <home>com.wombat.empl.EmployeeRecordHome</home> <remote>com.wombat.empl.EmployeeRecord</remote> ... </entity> ... </enterprise-beans> </ejb-jar>

▼Observed Examples
ReferenceDescription
▼Affected Resources
    ▼Functional Areas
      ▼Weakness Ordinalities
      OrdinalityDescription
      ▼Detection Methods
      ▼Vulnerability Mapping Notes
      Usage:Allowed
      Reason:Acceptable-Use
      Rationale:

      This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

      Comments:

      Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

      Suggestions:
      ▼Notes
      Other

      Entity beans that expose a remote interface become part of an application's attack surface. For performance reasons, an application should rarely use remote entity beans, so there is a good chance that a remote entity bean declaration is an error.

      N/A

      ▼Taxonomy Mappings
      Taxonomy NameEntry IDFitEntry Name
      7 Pernicious KingdomsN/AN/AJ2EE Misconfiguration: Unsafe Bean Declaration
      Software Fault PatternsSFP23N/AExposed Data
      Taxonomy Name: 7 Pernicious Kingdoms
      Entry ID: N/A
      Fit: N/A
      Entry Name: J2EE Misconfiguration: Unsafe Bean Declaration
      Taxonomy Name: Software Fault Patterns
      Entry ID: SFP23
      Fit: N/A
      Entry Name: Exposed Data
      ▼Related Attack Patterns
      IDName
      ▼References
      Reference ID: REF-6
      Title: Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors
      Author: Katrina Tsipenyuk, Brian Chess, Gary McGraw
      Section:
      Publication:
      NIST Workshop on Software Security Assurance Tools Techniques and Metrics
      Publisher:NIST
      Edition:
      URL:https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf
      URL Date:
      Day:07
      Month:11
      Year:2005
      Details not found