Kingdom: Time and State
Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time.
Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information.
Race Condition: Format Flaw
Abstract
The methods
parse() and format() in java.text.Format contain a design flaw that can cause one user to see another user's data.Explanation
The methods
Example 1: The following code shows how this design flaw can manifest itself.
While this code will behave correctly in a single-user environment, if two threads run it at the same time they could produce the following output:
Time in thread 1 should be 12/31/69 4:00 PM, found: 12/31/69 4:00 PM
Time in thread 2 should be around 12/29/09 6:26 AM, found: 12/31/69 4:00 PM
In this case, the date from the first thread is shown in the output from the second thread due a race condition in the implementation of
parse() and format() in java.text.Format contains a race condition that can cause one user to see another user's data.Example 1: The following code shows how this design flaw can manifest itself.
public class Common {
private static SimpleDateFormat dateFormat;
...
public String format(Date date) {
return dateFormat.format(date);
}
...
final OtherClass dateFormatAccess=new OtherClass();
...
public void function_running_in_thread1(){
System.out.println("Time in thread 1 should be 12/31/69 4:00 PM, found: "+ dateFormatAccess.format(new Date(0)));
}
public void function_running_in_thread2(){
System.out.println("Time in thread 2 should be around 12/29/09 6:26 AM, found: "+ dateFormatAccess.format(new Date(System.currentTimeMillis())));
}
}
While this code will behave correctly in a single-user environment, if two threads run it at the same time they could produce the following output:
Time in thread 1 should be 12/31/69 4:00 PM, found: 12/31/69 4:00 PM
Time in thread 2 should be around 12/29/09 6:26 AM, found: 12/31/69 4:00 PM
In this case, the date from the first thread is shown in the output from the second thread due a race condition in the implementation of
format().References
[1] Bug 4228335 : SimpleDateFormat is not threadsafe Sun Microsystems
[2] The Java Servlet Specification Sun Microsystems
[3] Standards Mapping - Common Weakness Enumeration CWE ID 362, CWE ID 488
[4] Standards Mapping - Common Weakness Enumeration Top 25 2022 [22] CWE ID 362
[5] Standards Mapping - Common Weakness Enumeration Top 25 2023 [21] CWE ID 362
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001090, CCI-003178
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-6 Configuration Settings (P1), SA-11 Developer Security Testing and Evaluation (P1), SC-4 Information in Shared Resources (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-6 Configuration Settings, SA-11 Developer Testing and Evaluation, SC-4 Information in Shared System Resources
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.11.2 Business Logic Architectural Requirements (L2 L3)
[11] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[12] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.2
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective B.3.3 - Terminal Software Attack Mitigation
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective B.3.3 - Terminal Software Attack Mitigation
[18] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 362
[19] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 362
[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3630.1 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3630.1 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3630.1 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3630.1 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3630.1 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3630.1 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3630.1 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
desc.structural.java.race_condition_format_flaw