[Forgot Password]
Login  Register Subscribe

30479

 
 

423868

 
 

250770

 
 

909

 
 

196157

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Unsynchronized Access to Shared Data in a Multithreaded Context

ID: 567Date: (C)2012-05-14   (M)2022-10-10
Type: weaknessStatus: DRAFT
Abstraction Type: Base





Description

The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.

Extended Description

Within servlets, shared static variables are not protected from concurrent access, but servlets are multithreaded. This is a typical programming mistake in J2EE applications, since the multithreading is handled by the framework. When a shared variable can be influenced by an attacker, one thread could wind up modifying the variable to contain data that is not valid for a different thread that is also using the data within the variable.

Note that this weakness is not unique to servlets.

Applicable Platforms
Language Class: Java

Time Of Introduction

  • Architecture and Design
  • Implementation

Related Attack Patterns

Common Consequences

ScopeTechnical ImpactNotes
Confidentiality
Integrity
Availability
 		Read application data
Modify application data
DoS: instability
DoS: crash / exit / restart
 		If the shared variable contains sensitive data, it may be manipulated or displayed in another user session. If this data is used to control the application, its value can be manipulated to cause the application to crash or perform poorly.
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Implementation
 		 Remove the use of static variables used between servlets. If this cannot be avoided, use synchronized access for these variables.
 		  

Relationships

Related CWETypeViewChain
CWE-567 ChildOf CWE-894 Category CWE-888  

Demonstrative Examples   (Details)

  1. The following code implements a basic counter for how many times the page has been accesed.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
CERT Java Secure Coding VNA00-J
 		Ensure visibility when accessing shared primitive variables
 		 
CERT Java Secure Coding VNA02-J
 		Ensure that compound operations on shared variables are atomic
 		 

References:
None
CVE    1
CVE-2020-25724

© SecPod Technologies