1. Home
  2. CWE Database
  3. CWE-383
Variant · Low-Medium

CWE-383: J2EE Bad Practices: Direct Use of Threads

Thread management in a Web application is forbidden in some circumstances and is always highly error prone.

CWE-383 · Variant Level ·1 Mitigations

Description

Thread management in a Web application is forbidden in some circumstances and is always highly error prone.

Thread management in a web application is forbidden by the J2EE standard in some circumstances and is always highly error prone. Managing threads is difficult and is likely to interfere in unpredictable ways with the behavior of the application container. Even without interfering with the container, thread management usually leads to bugs that are hard to detect and diagnose like deadlock, race conditions, and other synchronization errors.

Potential Impact

Other

Quality Degradation

Demonstrative Examples

In the following example, a new Thread object is created and invoked directly from within the body of a doGet() method in a Java servlet.
Bad
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
                        
                           
                           // Perform servlet tasks.
                           ...
                           
                           // Create a new thread to handle background processing.
                           Runnable r = new Runnable() {
                              public void run() {
                                    
                                       
                                       // Process and store request statistics.
                                       ...
                                 }
                           };
                           new Thread(r).start();
                     }

Mitigations & Prevention

Architecture and Design

For EJB, use framework approaches for parallel execution, instead of using threads.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

CWE-695: Use of Low-Level Functionality

The product uses low-level functionality that is explicitly prohibited by the framework or specification under which the...

Taxonomy Mappings

  • 7 Pernicious Kingdoms: — J2EE Bad Practices: Threads
  • Software Fault Patterns: SFP3 — Use of an improper API

Frequently Asked Questions

What is CWE-383?

CWE-383 (J2EE Bad Practices: Direct Use of Threads) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. Thread management in a Web application is forbidden in some circumstances and is always highly error prone.

How can CWE-383 be exploited?

Attackers can exploit CWE-383 (J2EE Bad Practices: Direct Use of Threads) to quality degradation. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-383?

Key mitigations include: For EJB, use framework approaches for parallel execution, instead of using threads.

What is the severity of CWE-383?

CWE-383 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.