The J2EE application directly uses sockets instead of using framework method calls.
View on MITREThe J2EE standard permits the use of sockets only for the purpose of communication with legacy systems when no higher-level protocol is available. Authoring your own communication protocol requires wrestling with difficult security issues. Without significant scrutiny by a security expert, chances are good that a custom communication protocol will suffer from security problems. Many of the same issues apply to a custom implementation of a standard protocol. While there are usually more resources available that address security concerns related to implementing a standard protocol, these resources are also available to attackers.
Use framework method calls instead of using sockets directly.
No detection method information available for this CWE.
The following example opens a socket to connect to a remote server.
A Socket object is created directly within the Java servlet, which is a dangerous way to manage remote connections.
No relationship information available for this CWE.
CWE-246: J2EE Bad Practices: Direct Use of Sockets is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The J2EE application directly uses sockets instead of using framework method calls. The J2EE standard permits the use of sockets only for the purpose of communication with legacy systems when no higher-level protocol is available. Authoring your own communication protocol requires wrestling with difficult security issues. Without significant scrutiny by a security expert, chances are good that a custom communication protocol will suffer from security problems. Many of the same issues apply to a custom implementation of a standard protocol. While there are usually more resources available that address security concerns related to implementing a standard protocol, these resources are also available to attackers.
If exploited, CWE-246 (J2EE Bad Practices: Direct Use of Sockets) it can compromise Other, leading to outcomes such as Quality Degradation.
Recommended mitigations for CWE-246 include: Use framework method calls instead of using sockets directly.
CWE-246 commonly affects Java. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
A CWE (Common Weakness Enumeration) like CWE-246 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.