CWE-246: J2EE Bad Practices: Direct Use of Sockets

VariantDraft

The J2EE application directly uses sockets instead of using framework method calls.

View on MITRE
Back to CWE Lookup

Extended Description

The J2EE standard permits the use of sockets only for the purpose of communication with legacy systems when no higher-level protocol is available. Authoring your own communication protocol requires wrestling with difficult security issues. Without significant scrutiny by a security expert, chances are good that a custom communication protocol will suffer from security problems. Many of the same issues apply to a custom implementation of a standard protocol. While there are usually more resources available that address security concerns related to implementing a standard protocol, these resources are also available to attackers.

Technical Details

Structure
Simple

Applicable To

Languages
Java
Platforms

Frequently Asked Questions

What is CWE-246: J2EE Bad Practices: Direct Use of Sockets?+

CWE-246: J2EE Bad Practices: Direct Use of Sockets is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The J2EE application directly uses sockets instead of using framework method calls. The J2EE standard permits the use of sockets only for the purpose of communication with legacy systems when no higher-level protocol is available. Authoring your own communication protocol requires wrestling with difficult security issues. Without significant scrutiny by a security expert, chances are good that a custom communication protocol will suffer from security problems. Many of the same issues apply to a custom implementation of a standard protocol. While there are usually more resources available that address security concerns related to implementing a standard protocol, these resources are also available to attackers.

What are the security consequences of J2EE Bad Practices: Direct Use of Sockets?+

If exploited, CWE-246 (J2EE Bad Practices: Direct Use of Sockets) it can compromise Other, leading to outcomes such as Quality Degradation.

How do you prevent or mitigate J2EE Bad Practices: Direct Use of Sockets?+

Recommended mitigations for CWE-246 include: Use framework method calls instead of using sockets directly.

Which programming languages are affected by J2EE Bad Practices: Direct Use of Sockets?+

CWE-246 commonly affects Java. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-246 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More