1. Home
  2. CWE Database
  3. CWE-567
Base · Medium

CWE-567: Unsynchronized Access to Shared Data in a Multithreaded Context

The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.

CWE-567 · Base Level ·1 Mitigations

Description

The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.

Within servlets, shared static variables are not protected from concurrent access, but servlets are multithreaded. This is a typical programming mistake in J2EE applications, since the multithreading is handled by the framework. When a shared variable can be influenced by an attacker, one thread could wind up modifying the variable to contain data that is not valid for a different thread that is also using the data within the variable. Note that this weakness is not unique to servlets.

Potential Impact

Confidentiality, Integrity, Availability

Read Application Data, Modify Application Data, DoS: Instability, DoS: Crash, Exit, or Restart

Demonstrative Examples

The following code implements a basic counter for how many times the page has been accesed.
Bad
public static class Counter extends HttpServlet {static int count = 0;protected void doGet(HttpServletRequest in, HttpServletResponse out)throws ServletException, IOException {out.setContentType("text/plain");PrintWriter p = out.getWriter();count++;p.println(count + " hits so far!");}}
Consider when two separate threads, Thread A and Thread B, concurrently handle two different requests:
At this point, both Thread A and Thread B print that one hit has been seen, even though two separate requests have been processed. The value of count should be 2, not 1.
While this example does not have any real serious implications, if the shared variable in question is used for resource tracking, then resource consumption could occur. Other scenarios exist.

Mitigations & Prevention

Implementation

Remove the use of static variables used between servlets. If this cannot be avoided, use synchronized access for these variables.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

CWE-820: Missing Synchronization

The product utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource...

CWE-662: Improper Synchronization

The product utilizes multiple threads, processes, components, or systems to allow temporary access to a shared resource ...

CWE-488: Exposure of Data Element to Wrong Session

The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provid...

Taxonomy Mappings

  • The CERT Oracle Secure Coding Standard for Java (2011): VNA00-J — Ensure visibility when accessing shared primitive variables
  • The CERT Oracle Secure Coding Standard for Java (2011): VNA02-J — Ensure that compound operations on shared variables are atomic
  • Software Fault Patterns: SFP19 — Missing Lock

Frequently Asked Questions

What is CWE-567?

CWE-567 (Unsynchronized Access to Shared Data in a Multithreaded Context) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.

How can CWE-567 be exploited?

Attackers can exploit CWE-567 (Unsynchronized Access to Shared Data in a Multithreaded Context) to read application data, modify application data, dos: instability, dos: crash, exit, or restart. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-567?

Key mitigations include: Remove the use of static variables used between servlets. If this cannot be avoided, use synchronized access for these variables.

What is the severity of CWE-567?

CWE-567 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.