Title

Execution flow diagrams and design documents must be created to show how deadlock and recursion issues in web services are being mitigated. (Cat II impact)

Discussion

In order to understand data flows within web services, the process flow of data must be developed and documented. There are several different ways that web service deadlock occurs, many times it is due to when a client invokes a synchronous method on a web service, the client will block waiting for the method to complete. If attempts to call the client (invoke a callback) while the client is waiting for the original method to complete, then each party will deadlock waiting for the other. This is referred to as deadlock. The same situation could occur if a callback handler attempted to call a synchronous method on its caller. Applications that utilize web services must account for and document how they deal with a deadlock issue. This can be accomplished by documenting data flow and specifically accounting for the risk in the design of the application.

Check Content

Review the application documentation and the system diagrams detailing application system to system and service to service communication methods. Interview the application admin to identify any application web services that are deployed by the application. If the application does not deploy web services, the requirement is not applicable. If the application consumes web services but is not responsible for development of the services, the requirement is not applicable. Review the data flow diagrams and the system documentation to determine if the issue of web service deadlock is addressed. If the issue is not addressed in the documentation or configuration settings, ask the application admin to demonstrate how deadlock issues are addressed. If deadlock issues are not being addressed via documented web service configuration or design, this is a finding.

Fix Text

Develop web services to account for deadlock issues.

Additional Identifiers

Rule ID: SV-222625r879887_rule

Vulnerability ID: V-222625

Group Title: SRG-APP-000516

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.