CWE-577: EJB Bad Practices: Use of Sockets

Description

The product violates the Enterprise JavaBeans (EJB) specification by using sockets.

The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the product violates the following EJB guideline: "An enterprise bean must not attempt to listen on a socket, accept connections on a socket, or use a socket for multicast." The specification justifies this requirement in the following way: "The EJB architecture allows an enterprise bean instance to be a network socket client, but it does not allow it to be a network server. Allowing the instance to become a network server would conflict with the basic function of the enterprise bean-- to serve the EJB clients."

Potential Impact

Other

Quality Degradation

Demonstrative Examples

The following Java example is a simple stateless Enterprise JavaBean that retrieves stock symbols and stock values. The Enterprise JavaBean creates a socket and listens for and accepts connections from clients on the socket.

Bad

@Statelesspublic class StockSymbolBean implements StockSymbolRemote {
                        
                           ServerSocket serverSocket = null;Socket clientSocket = null;
                           public StockSymbolBean() {
                              try {serverSocket = new ServerSocket(Constants.SOCKET_PORT);} catch (IOException ex) {...}
                                 try {clientSocket = serverSocket.accept();} catch (IOException e) {...}
                           }
                           public String getStockSymbol(String name) {...}
                           public BigDecimal getStockValue(String symbol) {...}
                           private void processClientInputFromSocket() {...}
                     }

And the following Java example is similar to the previous example but demonstrates the use of multicast socket connections within an Enterprise JavaBean.

Bad

@Statelesspublic class StockSymbolBean extends Thread implements StockSymbolRemote {
                        
                           ServerSocket serverSocket = null;Socket clientSocket = null;boolean listening = false;
                           public StockSymbolBean() {
                              try {serverSocket = new ServerSocket(Constants.SOCKET_PORT);} catch (IOException ex) {...}
                                 listening = true;while(listening) {start();}
                           }
                           public String getStockSymbol(String name) {...}
                           public BigDecimal getStockValue(String symbol) {...}
                           public void run() {try {clientSocket = serverSocket.accept();} catch (IOException e) {...}...}
                        
                     }

The previous two examples within any type of Enterprise JavaBean violate the EJB specification by attempting to listen on a socket, accepting connections on a socket, or using a socket for multicast.

Mitigations & Prevention

Architecture and DesignImplementation

Do not use Sockets when writing EJBs.

Taxonomy Mappings

Software Fault Patterns: SFP3 — Use of an improper API

Frequently Asked Questions

What is CWE-577?

CWE-577 (EJB Bad Practices: Use of Sockets) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product violates the Enterprise JavaBeans (EJB) specification by using sockets.

How can CWE-577 be exploited?

Attackers can exploit CWE-577 (EJB Bad Practices: Use of Sockets) to quality degradation. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-577?

Key mitigations include: Do not use Sockets when writing EJBs.

What is the severity of CWE-577?

CWE-577 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.