1. Home
  2. CWE Database
  3. CWE-245
Variant · Low-Medium

CWE-245: J2EE Bad Practices: Direct Management of Connections

The J2EE application directly manages connections, instead of using the container's connection management facilities.

CWE-245 · Variant Level

Description

The J2EE application directly manages connections, instead of using the container's connection management facilities.

The J2EE standard forbids the direct management of connections. It requires that applications use the container's resource management facilities to obtain connections to resources. Every major web application container provides pooled database connection management as part of its resource management framework. Duplicating this functionality in an application is difficult and error prone, which is part of the reason it is forbidden under the J2EE standard.

Potential Impact

Other

Quality Degradation

Demonstrative Examples

In the following example, the class DatabaseConnection opens and manages a connection to a database for a J2EE application. The method openDatabaseConnection opens a connection to the database using a DriverManager to create the Connection object conn to the database specified in the string constant CONNECT_STRING.
Bad
public class DatabaseConnection {
                        private static final String CONNECT_STRING = "jdbc:mysql://localhost:3306/mysqldb";private Connection conn = null;
                           public DatabaseConnection() {}
                           public void openDatabaseConnection() {try {conn = DriverManager.getConnection(CONNECT_STRING);} catch (SQLException ex) {...}}
                           // Member functions for retrieving database connection and accessing database...
                     }
The use of the DriverManager class to directly manage the connection to the database violates the J2EE restriction against the direct management of connections. The J2EE application should use the web application container's resource management facilities to obtain a connection to the database as shown in the following example.
Good
public class DatabaseConnection {
                     
                        private static final String DB_DATASRC_REF = "jdbc:mysql://localhost:3306/mysqldb";private Connection conn = null;
                           public DatabaseConnection() {}
                           public void openDatabaseConnection() {
                              try {
                                    InitialContext ctx = new InitialContext();DataSource datasource = (DataSource) ctx.lookup(DB_DATASRC_REF);conn = datasource.getConnection();
                                    
                                 } catch (NamingException ex) {...}} catch (SQLException ex) {...}
                           }
                           // Member functions for retrieving database connection and accessing database...
                     }

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

CWE-695: Use of Low-Level Functionality

The product uses low-level functionality that is explicitly prohibited by the framework or specification under which the...

Taxonomy Mappings

  • 7 Pernicious Kingdoms: — J2EE Bad Practices: getConnection()
  • Software Fault Patterns: SFP3 — Use of an improper API

Frequently Asked Questions

What is CWE-245?

CWE-245 (J2EE Bad Practices: Direct Management of Connections) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The J2EE application directly manages connections, instead of using the container's connection management facilities.

How can CWE-245 be exploited?

Attackers can exploit CWE-245 (J2EE Bad Practices: Direct Management of Connections) to quality degradation. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-245?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-245?

CWE-245 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.