Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-9:J2EE Misconfiguration: Weak Access Permissions for EJB Methods
Weakness ID:9
Version:v4.17
Weakness Name:J2EE Misconfiguration: Weak Access Permissions for EJB Methods
Vulnerability Mapping:Allowed
Abstraction:Variant
Structure:Simple
Status:Draft
Likelihood of Exploit:
DetailsContent HistoryObserved CVE ExamplesReports
▼Description

If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the product.

▼Extended Description

If the EJB deployment descriptor contains one or more method permissions that grant access to the special ANYONE role, it indicates that access control for the application has not been fully thought through or that the application is structured in such a way that reasonable access control restrictions are impossible.

▼Alternate Terms
▼Relationships
Relevant to the view"Research Concepts - (1000)"
NatureMappingTypeIDName
ChildOfAllowedB266Incorrect Privilege Assignment
Nature: ChildOf
Mapping: Allowed
Type: Base
ID: 266
Name: Incorrect Privilege Assignment
▼Memberships
NatureMappingTypeIDName
MemberOfProhibitedC27PK - Environment
MemberOfProhibitedC723OWASP Top Ten 2004 Category A2 - Broken Access Control
MemberOfProhibitedC731OWASP Top Ten 2004 Category A10 - Insecure Configuration Management
MemberOfProhibitedC901SFP Primary Cluster: Privilege
MemberOfProhibitedC1396Comprehensive Categorization: Access Control
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 2
Name: 7PK - Environment
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 723
Name: OWASP Top Ten 2004 Category A2 - Broken Access Control
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 731
Name: OWASP Top Ten 2004 Category A10 - Insecure Configuration Management
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 901
Name: SFP Primary Cluster: Privilege
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1396
Name: Comprehensive Categorization: Access Control
▼Tags
NatureMappingTypeIDName
MemberOfProhibitedBSBOSS-312Other (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-312
Name: Other (impact)
▼Relevant To View
Relevant to the view"Seven Pernicious Kingdoms - (700)"
NatureMappingTypeIDName
MemberOfProhibitedC27PK - Environment
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 2
Name: 7PK - Environment
Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"
NatureMappingTypeIDName
MemberOfProhibitedC901SFP Primary Cluster: Privilege
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 901
Name: SFP Primary Cluster: Privilege
▼Background Detail

▼Common Consequences
ScopeLikelihoodImpactNote
OtherN/AOther
N/A
Scope: Other
Likelihood: N/A
Impact: Other
Note:
N/A
▼Potential Mitigations
Phase:Architecture and Design, System Configuration
Mitigation ID:
Strategy:
Effectiveness:
Description:

Follow the principle of least privilege when assigning access rights to EJB methods. Permission to invoke EJB methods should not be granted to the ANYONE role.

Note:

▼Modes Of Introduction
Phase: Architecture and Design
Note:

N/A

Phase: Implementation
Note:

N/A

▼Applicable Platforms
▼Demonstrative Examples
Example 1

The following deployment descriptor grants ANYONE permission to invoke the Employee EJB's method named getSalary().

Language: ( code)
N/A

Language: XML(Bad code)
<ejb-jar> ... <assembly-descriptor> <method-permission> <role-name>ANYONE</role-name> <method> <ejb-name>Employee</ejb-name> <method-name>getSalary</method-name> </method-permission> </assembly-descriptor> ... </ejb-jar>

▼Observed Examples
ReferenceDescription
▼Affected Resources
    ▼Functional Areas
      ▼Weakness Ordinalities
      OrdinalityDescription
      ▼Detection Methods
      ▼Vulnerability Mapping Notes
      Usage:Allowed
      Reason:Acceptable-Use
      Rationale:

      This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

      Comments:

      Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

      Suggestions:
      ▼Notes
      ▼Taxonomy Mappings
      Taxonomy NameEntry IDFitEntry Name
      7 Pernicious KingdomsN/AN/AJ2EE Misconfiguration: Weak Access Permissions
      Taxonomy Name: 7 Pernicious Kingdoms
      Entry ID: N/A
      Fit: N/A
      Entry Name: J2EE Misconfiguration: Weak Access Permissions
      ▼Related Attack Patterns
      IDName
      ▼References
      Reference ID: REF-6
      Title: Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors
      Author: Katrina Tsipenyuk, Brian Chess, Gary McGraw
      Section:
      Publication:
      NIST Workshop on Software Security Assurance Tools Techniques and Metrics
      Publisher:NIST
      Edition:
      URL:https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf
      URL Date:
      Day:07
      Month:11
      Year:2005
      Details not found