UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The application must not be vulnerable to race conditions.


Overview

Finding ID Version Rule ID IA Controls Severity
V-70185 APSC-DV-001995 SV-84807r1_rule Medium
Description
A race condition is a timing event within an application that can become a security vulnerability. A race condition can occur when a pair of programming calls operating simultaneously do not work in a sequential or coordinated manner. A race condition is a timing event within software that can become a security vulnerability if the calls are not performed in the correct order. There are different types of race conditions and they are dependent upon the action that the application is undertaking when the race condition occurs. Some examples of race conditions include but are not limited to: - Time of check, time of use: the time in which a given resource is checked, and the time that resource is used. - Thread based: two threads of execution use a resource simultaneously, resource may be invalid when used. - Switch based: variable switches values while switch statement is in progress. Developers must be cognizant of programming sequence and use sanity checks to validate data prior to acting upon it. A code review or a static code analysis is the method used to identify race conditions.
STIG Date
Application Security and Development Security Technical Implementation Guide 2017-03-20

Details

Check Text ( C-70661r1_chk )
Review the application documentation and architecture.

If the application is a COTS application and the vendor will not provide code review test results that demonstrate the application has been tested and is not susceptible to race conditions, the requirement is NA.

Interview the application admin and identify the most recent code testing and analysis that has been conducted.

Review the test results; verify configuration of analysis tools are set to check for the existence of race conditions.

If race conditions are identified in the test results, verify the latest test results are being used, if not, ensure remediation has been completed.

If the test results show race conditions exist and no remediation evidence is presented, or if test results are not available, this is a finding.
Fix Text (F-76421r1_fix)
Be aware of potential timing issues related to application programming calls when designing and building the application.

Validate that variable values do not change while a switch event is occurring.