== Why is this an issue?

Most modern applications use threads to handle incoming requests or other 
long-running tasks concurrently. In some cases, the number of concurrent threads
is limited to avoid system resource exhaustion due to too numerous actions
being run.

When an application uses user-controlled data as a parameter of a thread
suspension operation, a Denial of Service attack can be made possible.


=== What is the potential impact?

An attacker with the capability to insert an arbitrary duration into a thread
suspension operation could suspend the corresponding thread for a long time.
Depending on the application's architecture and the thread handling logic, this
can lead to a complete Denial of Service of the application.

Indeed, if the number of threads, either created by the application or allocated
by a web server, is limited, the attacker will be able to suspend all of them at
the same time. Without any remaining thread to handle actions, the application
might badly answer, be slowed down, or become completely irresponsive.


// How to fix it section

include::./how-to-fix-it/java-se.adoc[]

== Resources

include::../common/resources/standards.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Change this code to prevent user-controlled data from being used as a thread suspension duration.


endif::env-github,rspecator-view[]