Difference between revisions of "J2EE Misconfiguration: Unsafe Bean Declaration"

From OWASP
Jump to: navigation, search
(Added contents from Fortify.)
Line 1: Line 1:
 
{{Template:Vulnerability}}
 
{{Template:Vulnerability}}
 +
{{Template:Fortify}}
 +
 +
==Abstract==
 +
 +
Entity beans should not be declared remote.
  
 
==Description==
 
==Description==
  
Entity beans are declared remote. Remote entity beans are subject to attacks. In general, there is no good reason for an application to declare entity beans to be remote.  
+
Entity beans that expose a remote interface become part of an application's attack surface. For performance reasons, an application should rarely uses remote entity beans, so there is a good chance that a remote entity bean declaration is an error.
  
 
==Examples ==
 
==Examples ==
 +
 +
<pre>
 +
<ejb-jar>
 +
<enterprise-beans>
 +
<entity>
 +
<ejb-name>EmployeeRecord</ejb-name>
 +
<home>com.wombat.empl.EmployeeRecordHome</home>
 +
<remote>com.wombat.empl.EmployeeRecord</remote>
 +
...
 +
</entity>
 +
...
 +
</enterprise-beans>
 +
</ejb-jar>
 +
</pre>
 +
  
 
==Related Threats==
 
==Related Threats==
Line 16: Line 36:
  
 
==Categories==
 
==Categories==
 
+
[[Category:Environmental Vulnerability]]
{{Template:Stub}}
+
 
+
 
[[Category:Implementation]]
 
[[Category:Implementation]]
 
+
[[Category:Deployment]]
 
[[Category:Java]]
 
[[Category:Java]]

Revision as of 12:18, 21 July 2006

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.

This article includes content generously donated to OWASP by Fortify.JPG.

Abstract

Entity beans should not be declared remote.

Description

Entity beans that expose a remote interface become part of an application's attack surface. For performance reasons, an application should rarely uses remote entity beans, so there is a good chance that a remote entity bean declaration is an error.

Examples

	<ejb-jar>
		<enterprise-beans>
			<entity>
				<ejb-name>EmployeeRecord</ejb-name>
				<home>com.wombat.empl.EmployeeRecordHome</home>
				<remote>com.wombat.empl.EmployeeRecord</remote>
				...
			</entity>
			...
		</enterprise-beans>
	</ejb-jar>


Related Threats

Related Attacks

Related Vulnerabilities

Related Countermeasures

Categories