...
A method declared as synchronized always uses the object's monitor (intrinsic lock) as does code that synchronizes on the this reference using a synchronized block. Poorly synchronized code is prone to contention and deadlock. An attacker can manipulate the system to trigger these conditions and cause a Denial of Service (DoS) . If the vulnerable class is accessible from an untrusted class, an attacker can lock and hold the same object as the vulnerable class, disrupting correct synchronizationby obtaining and indefinitely holding the intrinsic lock of an accessible class.
| Wiki Markup |
|---|
This vulnerability can be prevented by using a {{java.lang.Object}} declared within the class as {{private}} and {{final}}. The object must be explicitly used for locking purposes in {{synchronized}} blocks within the class's methods. This intrinsic lock is associated with the instance of the private object and not the class. Consequently, there is no lock contention between this class's methods and methods of a hostile class. Joshua Bloch refers to this as the The "private lock object" idiom. \[[Bloch 01|AA. Java References#Bloch 01]\]. |
...