Unsynchronized Access to Shared Data
Weakness ID: 567 (Weakness Base)Status: Draft
+ Description

Description Summary

The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

All

+ Demonstrative Examples

Example 1

Example Language: Java 
public static class Counter extends HttpServlet {
static int count = 0;
protected void doGet(HttpServletRequest in, HttpServletResponse out)
throws ServletException, IOException {
out.setContentType("text/plain");
PrintWriter p = out.getWriter();
count++;
p.println(count + " hits so far!");
}
}
+ Potential Mitigations

A shared variable vulnerability can be prevented by removing the use of static variables used between servlets or to provide protection when shared access is absolutely needed. In this case, access should be synchronized.

+ Other Notes

The vulnerability can exist in servlets because a servlet is multi-threaded, and shared static variables are not protected from concurrent access. This is a typical programming mistake in J2EE applications, since the multi-threading is handled by the framework. The use of shared variables can be exploited by attackers to gain information or to cause denial of service conditions. If this shared data contains sensitive information, it may be manipulated or displayed in another user session. If this data is used to control the application, its value can be manipulated to cause the application to crash or perform poorly.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory557Concurrency Issues
Development Concepts (primary)699
ChildOfWeakness BaseWeakness Base662Insufficient Synchronization
Research Concepts (primary)1000
PeerOfWeakness VariantWeakness Variant488Data Leak Between Sessions
Research Concepts1000
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
25Forced Deadlock
+ Content History
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other Notes