Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Wait even enhancements in 10g"] [Next entry: "Default passwords for Oracle BPEL Process manager"]

Debu talked about EJB security hole

I made a note about Debu Panda's post "Anonymous EJB Lookup - leaving a security hole in your applications" in his web log a couple of months ago in my bookmarks file and have finally got around to looking at it. I keep a huge list of interesting things I find and papers to read etc in a file and work through them when I get chance but I tend to surf in my spare time for new items so some tend to end up way down the list like this one. I kept it on the list though, rather than marking it as read as it talked in the title about a security hole. Phrases like this always keep me interested, eventually.

In the post Debu talks about how some customerís complain that OC4J does not support anonymous EJB lookup and execution of EJB methods. Debu says

"In my opinion security is a practice that starts during development and I view this as a big security hole in the applications because you are leaving your EJBs in ?ejb30slsb? Applications to be executed by anyone and I will advise against doing this."

he goes on to say that many people have been doing similar for years with other application servers and that they had been looking at this for years but did not allow it out of the box. He then goes on to show an example of how to do it for those who do not care about security. He finishes with

"THINK twice before you do this!"

This is an interesting post because it shows a good lesson. In general if something is not possible or available out of the box and itís a security risk then do not enable it. There are good reasons not to do so. If the product you are using is internet or Intranet facing then the risks are very high. People do love to have things made easy, including not having to authenticate or go through hoops to use something. If something that is a security risk is disabled then don't enable it!