At 11:36 AM 15/10/2002 -0400, Alan Rouse wrote: >Without more details, it sounds to me as if an attacker would first have >to deploy her own code in the EJB server, before she could attack the >target user's objects. If the attacker has that capability, can't she >accomplish the same end with or without this vulnerability? > >Or is there a way to exploit this without the attacker having power to >deploy her own code? To some extent this depends on whether the EJB objects are accessible from the Internet. Some people take the view that EJB access should always be mediated by a web server or some such, partly on (unspecified) security grounds, and partly because of arguments about the accessibility of EJBs through firewalls. The latter argument has always seemed to me to be somewhat circular. In any case, the security provided by a firewall is somewhat illusory. The security of the system as a whole is only as high as that of its weakest link. In this context, the weakest link is anything behind the firewall that can be compromised in a way that allows an attacker to run code. It doesn't matter whether the code runs as some user with no privilege - it's still behind the firewall, and can still access things that the firewall is meant to block. I would find it difficult to accept that something represented as an industrial-strength application infrastructure was regarded has having security so weak that it needed to be run in a benign security environment, and I do not see how one could ever be sufficiently sure that that benign environment actually exists. Sylvia.
