From 8f7e76f0cb2a33ca3ff279e1582f9b6a618d72a6 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Tue, 11 Oct 2022 03:59:08 -0400 Subject: [PATCH] spelling: initialization Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com> --- ...JMXConnectorServerFactoryEnvironmentInitialization.java} | 0 ...CorrectRMIConnectorServerEnvironmentInitialization.java} | 0 .../CWE-665/InsecureRmiJmxEnvironmentConfiguration.qhelp | 6 +++--- 3 files changed, 3 insertions(+), 3 deletions(-) rename java/ql/src/experimental/Security/CWE/CWE-665/{CorrectJMXConnectorServerFactoryEnvironmentInitialisation.java => CorrectJMXConnectorServerFactoryEnvironmentInitialization.java} (100%) rename java/ql/src/experimental/Security/CWE/CWE-665/{CorrectRMIConnectorServerEnvironmentInitalisation.java => CorrectRMIConnectorServerEnvironmentInitialization.java} (100%) diff --git a/java/ql/src/experimental/Security/CWE/CWE-665/CorrectJMXConnectorServerFactoryEnvironmentInitialisation.java b/java/ql/src/experimental/Security/CWE/CWE-665/CorrectJMXConnectorServerFactoryEnvironmentInitialization.java similarity index 100% rename from java/ql/src/experimental/Security/CWE/CWE-665/CorrectJMXConnectorServerFactoryEnvironmentInitialisation.java rename to java/ql/src/experimental/Security/CWE/CWE-665/CorrectJMXConnectorServerFactoryEnvironmentInitialization.java diff --git a/java/ql/src/experimental/Security/CWE/CWE-665/CorrectRMIConnectorServerEnvironmentInitalisation.java b/java/ql/src/experimental/Security/CWE/CWE-665/CorrectRMIConnectorServerEnvironmentInitialization.java similarity index 100% rename from java/ql/src/experimental/Security/CWE/CWE-665/CorrectRMIConnectorServerEnvironmentInitalisation.java rename to java/ql/src/experimental/Security/CWE/CWE-665/CorrectRMIConnectorServerEnvironmentInitialization.java diff --git a/java/ql/src/experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.qhelp b/java/ql/src/experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.qhelp index c74d5a9d4b4..51e36dc830c 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.qhelp +++ b/java/ql/src/experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.qhelp @@ -6,7 +6,7 @@

For special use cases some applications may implement a custom service which handles JMX-RMI connections.

-

When creating such a custom service, a developer should pass a certain environment configuration to the JMX-RMI server initalisation, +

When creating such a custom service, a developer should pass a certain environment configuration to the JMX-RMI server initialization, as otherwise the JMX-RMI service is susceptible to an unsafe deserialization vulnerability.

This is because the JMX-RMI service allows attackers to supply arbitrary objects to the service authentication @@ -41,11 +41,11 @@ For this reason an initialization with a null environment is also v

The first example shows how an JMX server is initialized securely with the JMXConnectorServerFactory.newJMXConnectorServer() call.

- +

The second example shows how a JMX Server is initialized securely if the RMIConnectorServer class is used.

- +