CWE-567: Unsynchronized Access to Shared Data in a Multithreaded Context

BaseDraft

The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.

View on MITRE
Back to CWE Lookup

Extended Description

Within servlets, shared static variables are not protected from concurrent access, but servlets are multithreaded. This is a typical programming mistake in J2EE applications, since the multithreading is handled by the framework. When a shared variable can be influenced by an attacker, one thread could wind up modifying the variable to contain data that is not valid for a different thread that is also using the data within the variable. Note that this weakness is not unique to servlets.

Technical Details

Structure
Simple

Applicable To

Languages
Java
Platforms

Frequently Asked Questions

What is CWE-567: Unsynchronized Access to Shared Data in a Multithreaded Context?+

CWE-567: Unsynchronized Access to Shared Data in a Multithreaded Context is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes. Within servlets, shared static variables are not protected from concurrent access, but servlets are multithreaded. This is a typical programming mistake in J2EE applications, since the multithreading is handled by the framework. When a shared variable can be influenced by an attacker, one thread could wind up modifying the variable to contain data that is not valid for a different thread that is also using the data within the variable. Note that this weakness is not unique to servlets.

What are the security consequences of Unsynchronized Access to Shared Data in a Multithreaded Context?+

If exploited, CWE-567 (Unsynchronized Access to Shared Data in a Multithreaded Context) it can compromise Confidentiality, Integrity and Availability, leading to outcomes such as Read Application Data, Modify Application Data, DoS: Instability and DoS: Crash, Exit, or Restart.

How do you prevent or mitigate Unsynchronized Access to Shared Data in a Multithreaded Context?+

Recommended mitigations for CWE-567 include: Remove the use of static variables used between servlets. If this cannot be avoided, use synchronized access for these variables.

Which programming languages are affected by Unsynchronized Access to Shared Data in a Multithreaded Context?+

CWE-567 commonly affects Java. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-567 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More