1. Home
  2. CWE Database
  3. CWE-8
Variant · Low-Medium

CWE-8: J2EE Misconfiguration: Entity Bean Declared Remote

When an application exposes a remote interface for an entity bean, it might also expose methods that get or set the bean's data. These methods could be leveraged to read sensitive information, or to c...

CWE-8 · Variant Level ·1 Mitigations

Description

When an application exposes a remote interface for an entity bean, it might also expose methods that get or set the bean's data. These methods could be leveraged to read sensitive information, or to change data in ways that violate the application's expectations, potentially leading to other vulnerabilities.

Potential Impact

Confidentiality, Integrity

Read Application Data, Modify Application Data

Demonstrative Examples

The following example demonstrates the weakness.
Bad
<ejb-jar><enterprise-beans><entity><ejb-name>EmployeeRecord</ejb-name><home>com.wombat.empl.EmployeeRecordHome</home><remote>com.wombat.empl.EmployeeRecord</remote>...</entity>...</enterprise-beans></ejb-jar>

Mitigations & Prevention

Implementation

Declare Java beans "local" when possible. When a bean must be remotely accessible, make sure that sensitive information is not exposed, and ensure that the application logic performs appropriate validation of any data that might be modified by an attacker.

CWE-668: Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the...

Taxonomy Mappings

  • 7 Pernicious Kingdoms: — J2EE Misconfiguration: Unsafe Bean Declaration
  • Software Fault Patterns: SFP23 — Exposed Data

Frequently Asked Questions

What is CWE-8?

CWE-8 (J2EE Misconfiguration: Entity Bean Declared Remote) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. When an application exposes a remote interface for an entity bean, it might also expose methods that get or set the bean's data. These methods could be leveraged to read sensitive information, or to c...

How can CWE-8 be exploited?

Attackers can exploit CWE-8 (J2EE Misconfiguration: Entity Bean Declared Remote) to read application data, modify application data. This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.

How do I prevent CWE-8?

Key mitigations include: Declare Java beans "local" when possible. When a bean must be remotely accessible, make sure that sensitive information is not exposed, and ensure that the application logic performs appropriate valid

What is the severity of CWE-8?

CWE-8 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.