Unsynchronized Access to Shared Data in a Multithreaded ContextID: 567 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: DRAFT |
Abstraction Type: Base |
Description
The product does not properly synchronize shared data, such as
static variables across threads, which can lead to undefined behavior and
unpredictable data changes.
Extended DescriptionWithin servlets, shared static variables are not protected from concurrent
access, but servlets are multithreaded. This is a typical programming
mistake in J2EE applications, since the multithreading is handled by the
framework. When a shared variable can be influenced by an attacker, one
thread could wind up modifying the variable to contain data that is not
valid for a different thread that is also using the data within the
variable.Note that this weakness is not unique to servlets.
Applicable PlatformsLanguage Class: Java
Time Of Introduction
- Architecture and Design
- Implementation
Related Attack Patterns
Common Consequences
Scope | Technical Impact | Notes |
---|
ConfidentialityIntegrityAvailability | Read application
dataModify application
dataDoS: instabilityDoS: crash / exit /
restart | If the shared variable contains sensitive data, it may be manipulated
or displayed in another user session. If this data is used to control
the application, its value can be manipulated to cause the application
to crash or perform poorly. |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Implementation | | Remove the use of static variables used between servlets. If this
cannot be avoided, use synchronized access for these variables. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-567 ChildOf CWE-894 | Category | CWE-888 | |
Demonstrative Examples (Details)
- The following code implements a basic counter for how many times
the page has been accesed.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
CERT Java Secure Coding | VNA00-J | Ensure visibility when accessing shared primitive
variables | |
CERT Java Secure Coding | VNA02-J | Ensure that compound operations on shared variables are
atomic | |
References:None