diff --git a/java/ql/src/experimental/Security/CWE/CWE-665/CorrectJmxEnvironmentInitialisation.java b/java/ql/src/experimental/Security/CWE/CWE-665/CorrectJMXConnectorServerFactoryEnvironmentInitialisation.java
similarity index 100%
rename from java/ql/src/experimental/Security/CWE/CWE-665/CorrectJmxEnvironmentInitialisation.java
rename to java/ql/src/experimental/Security/CWE/CWE-665/CorrectJMXConnectorServerFactoryEnvironmentInitialisation.java
diff --git a/java/ql/src/experimental/Security/CWE/CWE-665/CorrectRmiEnvironmentInitialisation.java b/java/ql/src/experimental/Security/CWE/CWE-665/CorrectRMIConnectorServerEnvironmentInitalisation.java
similarity index 100%
rename from java/ql/src/experimental/Security/CWE/CWE-665/CorrectRmiEnvironmentInitialisation.java
rename to java/ql/src/experimental/Security/CWE/CWE-665/CorrectRMIConnectorServerEnvironmentInitalisation.java
diff --git a/java/ql/src/experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.qhelp b/java/ql/src/experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.qhelp
index 55d5e3c63e2..c74d5a9d4b4 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.qhelp
@@ -26,26 +26,11 @@ The filter should (ideally) only allow java.lang.String and disallow all other c
The key-value pair can be set as following:
-
-String stringsOnlyFilter = "java.lang.String;!*"; // Deny everything but java.lang.String
-
-Map<String, Object> env = new HashMap<String, Object>;
-env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, stringsOnlyFilter);
-
+
For applications using Java 6u113 to 9:
-
-// This is deprecated in Java 10+ !
-Map<String, Object> env = new HashMap<String, Object>;
-env.put (
- "jmx.remote.rmi.server.credential.types",
- new String[]{
- String[].class.getName(),
- String.class.getName()
- }
- );
-
+
Please note that the JMX-RMI service is vulnerable in the default configuration.
For this reason an initialization with a null environment is also vulnerable.
@@ -56,11 +41,11 @@ For this reason an initialization with a null environment is also v
The first example shows how an JMX server is initialized securely with the JMXConnectorServerFactory.newJMXConnectorServer() call.
-
+
The second example shows how a JMX Server is initialized securely if the RMIConnectorServer class is used.
-
+
diff --git a/java/ql/src/experimental/Security/CWE/CWE-665/example_filter_java_10.java b/java/ql/src/experimental/Security/CWE/CWE-665/example_filter_java_10.java
new file mode 100644
index 00000000000..0ffc7f28222
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-665/example_filter_java_10.java
@@ -0,0 +1,4 @@
+String stringsOnlyFilter = "java.lang.String;!*"; // Deny everything but java.lang.String
+
+Map env = new HashMap;
+env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, stringsOnlyFilter);
\ No newline at end of file
diff --git a/java/ql/src/experimental/Security/CWE/CWE-665/example_filter_java_9.java b/java/ql/src/experimental/Security/CWE/CWE-665/example_filter_java_9.java
new file mode 100644
index 00000000000..4001f63bb81
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-665/example_filter_java_9.java
@@ -0,0 +1,9 @@
+// This is deprecated in Java 10+ !
+Map; env = new HashMap;
+env.put (
+ "jmx.remote.rmi.server.credential.types",
+ new String[]{
+ String[].class.getName(),
+ String.class.getName()
+ }
+ );
\ No newline at end of file