[UNIX] J2EE EJB Privacy Leak and DoS

From: support@securiteam.com
Date: 10/15/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 15 Oct 2002 03:13:25 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  J2EE EJB Privacy Leak and DoS
------------------------------------------------------------------------

SUMMARY

A security vulnerability in Sun's EJB security model allows users to view
and "destroy" (causing a denial of service) other users objects, even
though they shouldn't have been allowed access to.

DETAILS

The EJB security model associates roles with users, and controls their
access to object methods based on those roles.

Where the object is a stateful session object, any user can access it,
provided they have the necessary roles. This is true even if the object
was created by a different user. This means that information private to
one user can be accessed by another. There is also a denial of service
available because any user can destroy the object.

The EJB client is not meant to change its security association, but
neither of the implementations Sylvia has tested enforces this. The EJB
specification does not actually require the server to do so.

To access the object, a user's client needs to know the IOR. However, on
the implementations Sylvia has tested, IORs are allocated in a trivial way
that makes it simple to derive new valid IORs from an existing valid one.

Vendor response:
Sylvia has contacted Sun twice about this, and they've not responded to
him.

ADDITIONAL INFORMATION

The information has been provided by <mailto:sbt13@cryogenic.net> Sylvia.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.