1. Home
  2. CWE Database
  3. CWE-543
Variant · Low-Medium

CWE-543: Use of Singleton Pattern Without Synchronization in a Multithreaded Context

The product uses the singleton pattern when creating a resource within a multithreaded environment.

CWE-543 · Variant Level ·3 Mitigations

Description

The product uses the singleton pattern when creating a resource within a multithreaded environment.

The use of a singleton pattern may not be thread-safe.

Potential Impact

Other, Integrity

Other, Modify Application Data

Demonstrative Examples

This method is part of a singleton pattern, yet the following singleton() pattern is not thread-safe. It is possible that the method will create two objects instead of only one.
Bad
private static NumberConverter singleton;public static NumberConverter get_singleton() {if (singleton == null) {singleton = new NumberConverter();}return singleton;}
Consider the following course of events:
At this point, the threads have created and returned two different objects.

Mitigations & Prevention

Architecture and Design

Use the Thread-Specific Storage Pattern. See References.

Implementation

Do not use member fields to store information in the Servlet. In multithreading environments, storing user data in Servlet member fields introduces a data access race condition.

Implementation Limited

Avoid using the double-checked locking pattern in language versions that cannot guarantee thread safety. This pattern may be used to avoid the overhead of a synchronized call, but in certain versions of Java (for example), this has been shown to be unsafe because it still introduces a race condition (CWE-209).

Detection Methods

  • Automated Static Analysis — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

CWE-820: Missing Synchronization

The product utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource...

CWE-662: Improper Synchronization

The product utilizes multiple threads, processes, components, or systems to allow temporary access to a shared resource ...

Taxonomy Mappings

  • The CERT Oracle Secure Coding Standard for Java (2011): MSC07-J — Prevent multiple instantiations of singleton objects
  • Software Fault Patterns: SFP19 — Missing Lock

Frequently Asked Questions

What is CWE-543?

CWE-543 (Use of Singleton Pattern Without Synchronization in a Multithreaded Context) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product uses the singleton pattern when creating a resource within a multithreaded environment.

How can CWE-543 be exploited?

Attackers can exploit CWE-543 (Use of Singleton Pattern Without Synchronization in a Multithreaded Context) to other, modify application data. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-543?

Key mitigations include: Use the Thread-Specific Storage Pattern. See References.

What is the severity of CWE-543?

CWE-543 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.