The product contains an empty synchronized block.

How do you prevent CWE-585?

When you come across an empty synchronized statement, or a synchronized statement in which the code has been commented out, try to determine what the original intentions were and whether or not the synchronized block is still necessary.

How is CWE-585 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

What are the consequences of CWE-585?

Exploiting CWE-585 can lead to: Other.

CWE-585: Empty Synchronized Block

Implementation

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The following code attempts to synchronize on an object, but does not execute anything in the synchronized block. This does not actually accomplish anything and may be a sign that a programmer is wrestling with synchronization but has not yet achieved the result they intend.

Vulnerable example

java

synchronized(this) { }

Safe example

java

public void setID(int ID){

Instead, in a correct usage, the synchronized statement should contain procedures that access or modify data that is exposed to multiple threads. For example, consider a scenario in which several threads are accessing student records at the same time. The method which sets the student ID to a new value will need to make sure that nobody else is accessing this data at the same time and will require synchronization.

CWE-585: Empty Synchronized Block

Overview

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-585?

How do you prevent CWE-585?

How is CWE-585 detected?

What are the consequences of CWE-585?

References

Stay ahead of CWE-585

Overview

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Related weaknesses

Parent

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-585?

How do you prevent CWE-585?

How is CWE-585 detected?

What are the consequences of CWE-585?

References

Stay ahead of CWE-585