The designer will ensure the application is not vulnerable to race conditions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-16815	APP3630	SV-17815r1_rule	DCSQ-1	Medium

Description
A race condition occurs when an application receives two or more actions on the same resource in an unanticipated order which causes a conflict. Sometimes, the resource is locked by different users or functions within the application creating a deadlock situation.

STIG	Date
Application Security and Development Checklist	2014-12-22

Details

Check Text ( C-17814r1_chk )
Policy: The designer will ensure the application is not vulnerable to race conditions. The designer will ensure the application does not use global variables when local variables could be used. The designer will ensure a multi-threaded application uses thread safe functions when threads are accessing the same object or data. The Designer will ensure global resources are locked before being accessed by the application. Check: If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable. Ask the application representative for code review results from the entire application. This can be provided as results from an automated code review tool. The review results should include all web services used in the application. If the results are provided from a manual code review, the application representative will need to demonstrate how the following vulnerabilities are identified during code reviews: • Race conditions • Using global variables when local variables could be used • Multi-threaded application uses thread safe functions • Global resources are locked before being accessed by the application 1) If the results are not provided or the application representative cannot demonstrate how manual code reviews are performed to identify these vulnerabilities, it is a finding. Examples of race conditions vulnerabilities can be obtained from the OWASP website.

Check Text ( C-17814r1_chk )

Policy:

The designer will ensure the application is not vulnerable to race conditions.

The designer will ensure the application does not use global variables when local variables could be used.

The designer will ensure a multi-threaded application uses thread safe functions when threads are accessing the same object or data.

The Designer will ensure global resources are locked before being accessed by the application.

Check:
If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable.

Ask the application representative for code review results from the entire application. This can be provided as results from an automated code review tool. The review results should include all web services used in the application.

If the results are provided from a manual code review, the application representative will need to demonstrate how the following vulnerabilities are identified during code reviews:
• Race conditions
• Using global variables when local variables could be used
• Multi-threaded application uses thread safe functions
• Global resources are locked before being accessed by the application

1) If the results are not provided or the application representative cannot demonstrate how manual code reviews are performed to identify these vulnerabilities, it is a finding.

Examples of race conditions vulnerabilities can be obtained from the OWASP website.

Fix Text (F-17113r1_fix)
Protect against race condition vulnerabilities