SV.SHARED.VAR

This error appears if a value is ACCESSED from a static field without synchronization in some method, and this method is transitively called from the doPost or doGet method of the servlet. This is a thread safety problem because one instance of the servlet class is shared by several threads.

Vulnerability and risk

The vulnerability exists because a servlet is multi-threaded, and shared static variables are not protected from concurrent access. This is a typical programming mistake in J2EE applications, since the multi-threading is handled by the framework. The use of shared variables can be exploited by attackers to gain information or to cause denial-of-service (DoS) conditions. If this shared data contains sensitive information, it may be manipulated or displayed in another user session. If this data is used to control the application, its value can be manipulated to cause the application to crash or perform poorly.

Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error.

Mitigation and prevention

A shared variable vulnerability can be prevented by removing the use of static variables used between servlets or to provide protection when shared access is absolutely needed. In this case, access should be synchronized.

Example 1

17
18
19
20
21
22
23
24
25
26
27
    public static class Counter extends HttpServlet {
      static int count = 0;
      protected void doGet(HttpServletRequest in,
          HttpServletResponse out) throws ServletException,
          IOException {
        out.setContentType("text/plain");
        PrintWriter p = out.getWriter();
        count++;
        p.println(count + " hits so far!");
      }
    }

SV.SHARED.VAR is reported for lines 24 and 25: Unsynchronized access to static variable 'count' accessible from servlet code.

External guidance

• CERT LCK05-J: Synchronize access to static fields that can be modified by untrusted code
• CERT VNA00-J: Ensure visibility when accessing shared primitive variables
• CERT VNA01-J: Ensure visibility of shared references to immutable objects
• CERT VNA02-J: Ensure that compound operations on shared variables are atomic
• CWE-567: Unsynchronized Access to Shared Data in a Multithreaded Context
• STIG-ID:APP3630.3 Race conditions
• STIG-ID:APP3760 Web Service Availability
• STIG-ID:APP3780 Web Service Availability

Security training

Application security training materials provided by Secure Code Warrior.

• Race Conditions Training Video - Test your skills with a training example