CWE-543: Use of Singleton Pattern Without Synchronization in a Multithreaded Context
The product uses the singleton pattern when creating a resource within a multithreaded environment.
View on MITREExtended Description
The use of a singleton pattern may not be thread-safe.
Technical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
Mitigation Strategies
Phase
Description
Use the Thread-Specific Storage Pattern. See References.
Phase
Description
Do not use member fields to store information in the Servlet. In multithreading environments, storing user data in Servlet member fields introduces a data access race condition.
Phase
Description
Avoid using the double-checked locking pattern in language versions that cannot guarantee thread safety. This pattern may be used to avoid the overhead of a synchronized call, but in certain versions of Java (for example), this has been shown to be unsafe because it still introduces a race condition (CWE-209).
Effectiveness
LimitedDetection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Demonstrative Examples
This method is part of a singleton pattern, yet the following singleton() pattern is not thread-safe. It is possible that the method will create two objects instead of only one.
Consider the following course of events:
CWE Relationships
No relationship information available for this CWE.
Frequently Asked Questions
What is CWE-543: Use of Singleton Pattern Without Synchronization in a Multithreaded Context?+
CWE-543: Use of Singleton Pattern Without Synchronization in a Multithreaded Context is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product uses the singleton pattern when creating a resource within a multithreaded environment. The use of a singleton pattern may not be thread-safe.
What are the security consequences of Use of Singleton Pattern Without Synchronization in a Multithreaded Context?+
If exploited, CWE-543 (Use of Singleton Pattern Without Synchronization in a Multithreaded Context) it can compromise Other and Integrity, leading to outcomes such as Other and Modify Application Data.
How do you prevent or mitigate Use of Singleton Pattern Without Synchronization in a Multithreaded Context?+
Recommended mitigations for CWE-543 include: Use the Thread-Specific Storage Pattern. See References. Do not use member fields to store information in the Servlet. In multithreading environments, storing user data in Servlet member fields introduces a data access race condition. Avoid using the double-checked locking pattern in language versions that cannot guarantee thread safety. This pattern may be used to avoid the overhead of a synchronized call, but in certain versions of Java (for example), this has been shown to be unsafe because it still introduces a race condition (CWE-209).
Which programming languages are affected by Use of Singleton Pattern Without Synchronization in a Multithreaded Context?+
CWE-543 commonly affects Java and C++. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-543 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.