CWE-567 Detail

CWE-567

Unsynchronized Access to Shared Data in a Multithreaded Context
Draft
2006-12-15 00:00 +00:00
2023-06-29 00:00 +00:00

Alerte pour un CWE

Stay informed of any changes for a specific CWE.
Alert management

Unsynchronized Access to Shared Data in a Multithreaded Context

The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.

Extended Description

Within servlets, shared static variables are not protected from concurrent access, but servlets are multithreaded. This is a typical programming mistake in J2EE applications, since the multithreading is handled by the framework. When a shared variable can be influenced by an attacker, one thread could wind up modifying the variable to contain data that is not valid for a different thread that is also using the data within the variable.

Note that this weakness is not unique to servlets.

Informations

Modes Of Introduction

Implementation

Applicable Platforms

Language

Name: Java (Undetermined)

Common Consequences

Scope Impact Likelihood
Confidentiality
Integrity
Availability
Read Application Data, Modify Application Data, DoS: Instability, DoS: Crash, Exit, or Restart

Note: If the shared variable contains sensitive data, it may be manipulated or displayed in another user session. If this data is used to control the application, its value can be manipulated to cause the application to crash or perform poorly.

Potential Mitigations

Phases : Implementation
Remove the use of static variables used between servlets. If this cannot be avoided, use synchronized access for these variables.

Detection Methods

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness : High

Vulnerability Mapping Notes

Rationale : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comments : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Related Attack Patterns

CAPEC-ID Attack Pattern Name
CAPEC-25 Forced Deadlock
The adversary triggers and exploits a deadlock condition in the target software to cause a denial of service. A deadlock can occur when two or more competing actions are waiting for each other to finish, and thus neither ever does. Deadlock conditions can be difficult to detect.

Submission

Name Organization Date Date Release Version
CWE Community 2006-12-15 +00:00 2006-12-15 +00:00 Draft 5

Modifications

Name Organization Date Comment
Eric Dalci Cigital 2008-07-01 +00:00 updated Time_of_Introduction
CWE Content Team MITRE 2008-09-08 +00:00 updated Relationships, Other_Notes
CWE Content Team MITRE 2010-09-27 +00:00 updated Other_Notes
CWE Content Team MITRE 2010-12-09 +00:00 Made name and description more specific to match the essence of the rest of the entry.
CWE Content Team MITRE 2010-12-13 +00:00 updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, Other_Notes, Potential_Mitigations, Relationships
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2012-05-11 +00:00 updated Relationships
CWE Content Team MITRE 2012-10-30 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2013-07-17 +00:00 updated Relationships
CWE Content Team MITRE 2014-07-30 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2017-11-08 +00:00 updated Applicable_Platforms
CWE Content Team MITRE 2019-01-03 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2020-08-20 +00:00 updated Relationships
CWE Content Team MITRE 2020-12-10 +00:00 updated Relationships
CWE Content Team MITRE 2023-04-27 +00:00 updated Detection_Factors, Relationships, Time_of_Introduction
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
Click on the button to the left (OFF), to authorize the inscription of cookie improving the functionalities of the site. Click on the button to the left (Accept all), to unauthorize the inscription of cookie improving the functionalities of the site.