mailing list archives
RE: J2EE EJB privacy leak and DOS.
From: Sylvia Else <sbt13 () cryogenic net>
Date: Fri, 18 Oct 2002 19:57:21 +1000
At 11:36 AM 15/10/2002 -0400, Alan Rouse wrote:
Without more details, it sounds to me as if an attacker would first have
to deploy her own code in the EJB server, before she could attack the
target user's objects. If the attacker has that capability, can't she
accomplish the same end with or without this vulnerability?
Or is there a way to exploit this without the attacker having power to
deploy her own code?
To some extent this depends on whether the EJB objects are accessible from
the Internet. Some people take the view that EJB access should always be
mediated by a web server or some such, partly on (unspecified) security
grounds, and partly because of arguments about the accessibility of EJBs
through firewalls. The latter argument has always seemed to me to be
In any case, the security provided by a firewall is somewhat illusory. The
security of the system as a whole is only as high as that of its weakest
link. In this context, the weakest link is anything behind the firewall
that can be compromised in a way that allows an attacker to run code. It
doesn't matter whether the code runs as some user with no privilege - it's
still behind the firewall, and can still access things that the firewall is
meant to block.
I would find it difficult to accept that something represented as an
industrial-strength application infrastructure was regarded has having
security so weak that it needed to be run in a benign security environment,
and I do not see how one could ever be sufficiently sure that that benign
environment actually exists.