CWE-577 EJB不安全实践:使用套接字

admin 2021年11月4日23:16:08评论46 views字数 2625阅读8分45秒阅读模式

CWE-577 EJB不安全实践:使用套接字

EJB Bad Practices: Use of Sockets

结构: Simple

Abstraction: Variant

状态: Draft

被利用可能性: unkown

基本描述

The program violates the Enterprise JavaBeans (EJB) specification by using sockets.

扩展描述

The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the program violates the following EJB guideline: "An enterprise bean must not attempt to listen on a socket, accept connections on a socket, or use a socket for multicast." The specification justifies this requirement in the following way: "The EJB architecture allows an enterprise bean instance to be a network socket client, but it does not allow it to be a network server. Allowing the instance to become a network server would conflict with the basic function of the enterprise bean-- to serve the EJB clients."

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 573 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 573 cwe_View_ID: 699 cwe_Ordinal: Primary

适用平台

Language: {'cwe_Name': 'Java', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
Other Quality Degradation

可能的缓解方案

['Architecture and Design', 'Implementation']

策略:

Do not use Sockets when writing EJBs.

示例代码

The following Java example is a simple stateless Enterprise JavaBean that retrieves stock symbols and stock values. The Enterprise JavaBean creates a socket and listens for and accepts connections from clients on the socket.

bad Java

@Stateless
public class StockSymbolBean implements StockSymbolRemote {


ServerSocket serverSocket = null;
Socket clientSocket = null;

public StockSymbolBean() {

try {

serverSocket = new ServerSocket(Constants.SOCKET_PORT);

} catch (IOException ex) {...}

try {

clientSocket = serverSocket.accept();

} catch (IOException e) {...}

}

public String getStockSymbol(String name) {...}

public BigDecimal getStockValue(String symbol) {...}

private void processClientInputFromSocket() {...}

}

And the following Java example is similar to the previous example but demonstrates the use of multicast socket connections within an Enterprise JavaBean.

bad Java

@Stateless
public class StockSymbolBean extends Thread implements StockSymbolRemote {


ServerSocket serverSocket = null;
Socket clientSocket = null;
boolean listening = false;

public StockSymbolBean() {

try {

serverSocket = new ServerSocket(Constants.SOCKET_PORT);

} catch (IOException ex) {...}

listening = true;
while(listening) {

start();

}

}

public String getStockSymbol(String name) {...}

public BigDecimal getStockValue(String symbol) {...}

public void run() {

try {

clientSocket = serverSocket.accept();

} catch (IOException e) {...}
...

}

}

The previous two examples within any type of Enterprise JavaBean violate the EJB specification by attempting to listen on a socket, accepting connections on a socket, or using a socket for multicast.

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
Software Fault Patterns SFP3 Use of an improper API

文章来源于互联网:scap中文网

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年11月4日23:16:08
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CWE-577 EJB不安全实践:使用套接字http://cn-sec.com/archives/613099.html

发表评论

匿名网友 填写信息