1. Home
  2. CWE Database
  3. CWE-9
Variant · Low-Medium

CWE-9: J2EE Misconfiguration: Weak Access Permissions for EJB Methods

If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the product.

CWE-9 · Variant Level ·1 Mitigations

Description

If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the product.

If the EJB deployment descriptor contains one or more method permissions that grant access to the special ANYONE role, it indicates that access control for the application has not been fully thought through or that the application is structured in such a way that reasonable access control restrictions are impossible.

Potential Impact

Other

Other

Demonstrative Examples

The following deployment descriptor grants ANYONE permission to invoke the Employee EJB's method named getSalary().
Bad
<ejb-jar>...<assembly-descriptor><method-permission><role-name>ANYONE</role-name><method><ejb-name>Employee</ejb-name><method-name>getSalary</method-name></method-permission></assembly-descriptor>...</ejb-jar>

Mitigations & Prevention

Architecture and DesignSystem Configuration

Follow the principle of least privilege when assigning access rights to EJB methods. Permission to invoke EJB methods should not be granted to the ANYONE role.

CWE-266: Incorrect Privilege Assignment

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor...

Taxonomy Mappings

  • 7 Pernicious Kingdoms: — J2EE Misconfiguration: Weak Access Permissions

Frequently Asked Questions

What is CWE-9?

CWE-9 (J2EE Misconfiguration: Weak Access Permissions for EJB Methods) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the product.

How can CWE-9 be exploited?

Attackers can exploit CWE-9 (J2EE Misconfiguration: Weak Access Permissions for EJB Methods) to other. This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.

How do I prevent CWE-9?

Key mitigations include: Follow the principle of least privilege when assigning access rights to EJB methods. Permission to invoke EJB methods should not be granted to the ANYONE role.

What is the severity of CWE-9?

CWE-9 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.