Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-574:EJB Bad Practices: Use of Synchronization Primitives
Weakness ID:574
Version:v4.17
Weakness Name:EJB Bad Practices: Use of Synchronization Primitives
Vulnerability Mapping:Allowed
Abstraction:Variant
Structure:Simple
Status:Draft
Likelihood of Exploit:
DetailsContent HistoryObserved CVE ExamplesReports
▼Description

The product violates the Enterprise JavaBeans (EJB) specification by using thread synchronization primitives.

▼Extended Description

The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container. In this case, the product violates the following EJB guideline: "An enterprise bean must not use thread synchronization primitives to synchronize execution of multiple instances." The specification justifies this requirement in the following way: "This rule is required to ensure consistent runtime semantics because while some EJB containers may use a single JVM to execute all enterprise bean's instances, others may distribute the instances across multiple JVMs."

▼Alternate Terms
▼Relationships
Relevant to the view"Research Concepts - (1000)"
NatureMappingTypeIDName
ChildOfAllowedB695Use of Low-Level Functionality
ChildOfAllowedB821Incorrect Synchronization
Nature: ChildOf
Mapping: Allowed
Type: Base
ID: 695
Name: Use of Low-Level Functionality
Nature: ChildOf
Mapping: Allowed
Type: Base
ID: 821
Name: Incorrect Synchronization
▼Memberships
NatureMappingTypeIDName
MemberOfProhibitedC1001SFP Secondary Cluster: Use of an Improper API
MemberOfProhibitedC1401Comprehensive Categorization: Concurrency
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1001
Name: SFP Secondary Cluster: Use of an Improper API
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1401
Name: Comprehensive Categorization: Concurrency
▼Tags
NatureMappingTypeIDName
MemberOfProhibitedBSBOSS-325Quality Degradation (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-325
Name: Quality Degradation (impact)
▼Relevant To View
Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"
NatureMappingTypeIDName
MemberOfProhibitedC1001SFP Secondary Cluster: Use of an Improper API
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1001
Name: SFP Secondary Cluster: Use of an Improper API
▼Background Detail

▼Common Consequences
ScopeLikelihoodImpactNote
OtherN/AQuality Degradation
N/A
Scope: Other
Likelihood: N/A
Impact: Quality Degradation
Note:
N/A
▼Potential Mitigations
Phase:Implementation
Mitigation ID:
Strategy:
Effectiveness:
Description:

Do not use Synchronization Primitives when writing EJBs.

Note:

▼Modes Of Introduction
Phase: Implementation
Note:

N/A

▼Applicable Platforms
Languages
Class: Java(Undetermined Prevalence)
▼Demonstrative Examples
Example 1

In the following Java example a Customer Entity EJB provides access to customer information in a database for a business application.

Language: ( code)
N/A

Language: Java(Bad code)
@Entity public class Customer implements Serializable { private String id; private String firstName; private String lastName; private Address address; public Customer() {...} public Customer(String id, String firstName, String lastName) {...} @Id public String getCustomerId() {...} public synchronized void setCustomerId(String id) {...} public String getFirstName() {...} public synchronized void setFirstName(String firstName) {...} public String getLastName() {...} public synchronized void setLastName(String lastName) {...} @OneToOne() public Address getAddress() {...} public synchronized void setAddress(Address address) {...} }

Language: ( code)
N/A

However, the customer entity EJB uses the synchronized keyword for the set methods to attempt to provide thread safe synchronization for the member variables. The use of synchronized methods violate the restriction of the EJB specification against the use synchronization primitives within EJBs. Using synchronization primitives may cause inconsistent behavior of the EJB when used within different EJB containers.

▼Observed Examples
ReferenceDescription
▼Affected Resources
    ▼Functional Areas
      ▼Weakness Ordinalities
      OrdinalityDescription
      ▼Detection Methods
      ▼Vulnerability Mapping Notes
      Usage:Allowed
      Reason:Acceptable-Use
      Rationale:

      This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

      Comments:

      Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

      Suggestions:
      ▼Notes
      ▼Taxonomy Mappings
      Taxonomy NameEntry IDFitEntry Name
      Software Fault PatternsSFP3N/AUse of an improper API
      Taxonomy Name: Software Fault Patterns
      Entry ID: SFP3
      Fit: N/A
      Entry Name: Use of an improper API
      ▼Related Attack Patterns
      IDName
      ▼References
      Details not found