1. Home
  2. CWE Database
  3. CWE-576
Variant · Low-Medium

CWE-576: EJB Bad Practices: Use of Java I/O

The product violates the Enterprise JavaBeans (EJB) specification by using the java.io package.

CWE-576 · Variant Level ·1 Mitigations

Description

The product violates the Enterprise JavaBeans (EJB) specification by using the java.io package.

The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the product violates the following EJB guideline: "An enterprise bean must not use the java.io package to attempt to access files and directories in the file system." The specification justifies this requirement in the following way: "The file system APIs are not well-suited for business components to access data. Business components should use a resource manager API, such as JDBC, to store data."

Potential Impact

Other

Quality Degradation

Demonstrative Examples

The following Java example is a simple stateless Enterprise JavaBean that retrieves the interest rate for the number of points for a mortgage. In this example, the interest rates for various points are retrieved from an XML document on the local file system, and the EJB uses the Java I/O API to retrieve the XML document from the local file system.
Bad
@Statelesspublic class InterestRateBean implements InterestRateRemote {
                     
                        private Document interestRateXMLDocument = null;private File interestRateFile = null;
                           public InterestRateBean() {
                              try {
                                    
                                       
                                       /* get XML document from the local filesystem */
                                       interestRateFile = new File(Constants.INTEREST_RATE_FILE);
                                       if (interestRateFile.exists()){DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();DocumentBuilder db = dbf.newDocumentBuilder();interestRateXMLDocument = db.parse(interestRateFile);}
                                 } catch (IOException ex) {...}
                           }
                           public BigDecimal getInterestRate(Integer points) {return getInterestRateFromXML(points);}
                           
                           /* member function to retrieve interest rate from XML document on the local file system */
                           
                           private BigDecimal getInterestRateFromXML(Integer points) {...}
                     }
This use of the Java I/O API within any kind of Enterprise JavaBean violates the EJB specification by using the java.io package for accessing files within the local filesystem.
An Enterprise JavaBean should use a resource manager API for storing and accessing data. In the following example, the private member function getInterestRateFromXMLParser uses an XML parser API to retrieve the interest rates.
Good
@Statelesspublic class InterestRateBean implements InterestRateRemote {
                        
                           public InterestRateBean() {}
                           public BigDecimal getInterestRate(Integer points) {return getInterestRateFromXMLParser(points);}
                           
                           /* member function to retrieve interest rate from XML document using an XML parser API */
                           
                           private BigDecimal getInterestRateFromXMLParser(Integer points) {...}
                     }

Mitigations & Prevention

Implementation

Do not use Java I/O when writing EJBs.

CWE-695: Use of Low-Level Functionality

The product uses low-level functionality that is explicitly prohibited by the framework or specification under which the...

Taxonomy Mappings

  • Software Fault Patterns: SFP3 — Use of an improper API

Frequently Asked Questions

What is CWE-576?

CWE-576 (EJB Bad Practices: Use of Java I/O) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product violates the Enterprise JavaBeans (EJB) specification by using the java.io package.

How can CWE-576 be exploited?

Attackers can exploit CWE-576 (EJB Bad Practices: Use of Java I/O) to quality degradation. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-576?

Key mitigations include: Do not use Java I/O when writing EJBs.

What is the severity of CWE-576?

CWE-576 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.