CWE - CWE-567: Unsynchronized Access to Shared Data (1.6)

Home > CWE List > CWE- Individual Dictionary Definition (1.6)

CWE List
Full Dictionary View
Development View
Research View
Reports

About
Sources
Process
Documents

Community
Related Activities
Discussion List
Research
CWE/SANS Top 25
CWSS

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Declarations
Make a Declaration

Contact Us
Search the Site

CWE-567: Unsynchronized Access to Shared Data

Unsynchronized Access to Shared Data

Weakness ID: 567 (Weakness Base)

Status: Draft

Description

Description Summary

The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.

Time of Introduction

Architecture and Design
Implementation

Applicable Platforms

Languages

All

Demonstrative Examples

Example 1

Java

public static class Counter extends HttpServlet {

static int count = 0;

protected void doGet(HttpServletRequest in, HttpServletResponse out)

throws ServletException, IOException {

out.setContentType("text/plain");

PrintWriter p = out.getWriter();

count++;

p.println(count + " hits so far!");

}

Potential Mitigations

Phase	Description
	A shared variable vulnerability can be prevented by removing the use of static variables used between servlets or to provide protection when shared access is absolutely needed. In this case, access should be synchronized.

Other Notes

The vulnerability can exist in servlets because a servlet is multi-threaded, and shared static variables are not protected from concurrent access. This is a typical programming mistake in J2EE applications, since the multi-threading is handled by the framework. The use of shared variables can be exploited by attackers to gain information or to cause denial of service conditions. If this shared data contains sensitive information, it may be manipulated or displayed in another user session. If this data is used to control the application, its value can be manipulated to cause the application to crash or perform poorly.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
PeerOf	Weakness Variant	488	Data Leak Between Sessions	Research Concepts1000
ChildOf	Category	557	Concurrency Issues	Development Concepts (primary)699
ChildOf	Weakness Base	662	Insufficient Synchronization	Research Concepts (primary)1000

Content History

Modifications
Modification Date	Modifier	Organization	Source
2008-07-01	Eric Dalci	Cigital	External
2008-07-01	updated Time of Introduction
2008-09-08	CWE Content Team	MITRE	Internal
2008-09-08	updated Relationships, Other Notes

Page Last Updated: October 29, 2009


	CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Copyright 2009, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us