CWE-383: J2EE Bad Practices: Direct Use of Threads

VariantDraft

Thread management in a Web application is forbidden in some circumstances and is always highly error prone.

View on MITRE
Back to CWE Lookup

Extended Description

Thread management in a web application is forbidden by the J2EE standard in some circumstances and is always highly error prone. Managing threads is difficult and is likely to interfere in unpredictable ways with the behavior of the application container. Even without interfering with the container, thread management usually leads to bugs that are hard to detect and diagnose like deadlock, race conditions, and other synchronization errors.

Technical Details

Structure
Simple

Applicable To

Languages
Java
Platforms

Frequently Asked Questions

What is CWE-383: J2EE Bad Practices: Direct Use of Threads?+

CWE-383: J2EE Bad Practices: Direct Use of Threads is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Thread management in a Web application is forbidden in some circumstances and is always highly error prone. Thread management in a web application is forbidden by the J2EE standard in some circumstances and is always highly error prone. Managing threads is difficult and is likely to interfere in unpredictable ways with the behavior of the application container. Even without interfering with the container, thread management usually leads to bugs that are hard to detect and diagnose like deadlock, race conditions, and other synchronization errors.

What are the security consequences of J2EE Bad Practices: Direct Use of Threads?+

If exploited, CWE-383 (J2EE Bad Practices: Direct Use of Threads) it can compromise Other, leading to outcomes such as Quality Degradation.

How do you prevent or mitigate J2EE Bad Practices: Direct Use of Threads?+

Recommended mitigations for CWE-383 include: For EJB, use framework approaches for parallel execution, instead of using threads.

Which programming languages are affected by J2EE Bad Practices: Direct Use of Threads?+

CWE-383 commonly affects Java. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-383 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More