Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-410:Insufficient Resource Pool
Weakness ID:410
Version:v4.17
Weakness Name:Insufficient Resource Pool
Vulnerability Mapping:Allowed
Abstraction:Class
Structure:Simple
Status:Incomplete
Likelihood of Exploit:
DetailsContent HistoryObserved CVE ExamplesReports
▼Description

The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.

▼Extended Description

Frequently the consequence is a "flood" of connection or sessions.

▼Alternate Terms
▼Relationships
Relevant to the view"Research Concepts - (1000)"
NatureMappingTypeIDName
CanPrecedeDiscouragedC400Uncontrolled Resource Consumption
ChildOfDiscouragedP664Improper Control of a Resource Through its Lifetime
ParentOfAllowedB412Unrestricted Externally Accessible Lock
Nature: CanPrecede
Mapping: Discouraged
Type: Class
ID: 400
Name: Uncontrolled Resource Consumption
Nature: ChildOf
Mapping: Discouraged
Type: Pillar
ID: 664
Name: Improper Control of a Resource Through its Lifetime
Nature: ParentOf
Mapping: Allowed
Type: Base
ID: 412
Name: Unrestricted Externally Accessible Lock
▼Memberships
NatureMappingTypeIDName
MemberOfProhibitedC399Resource Management Errors
MemberOfProhibitedC730OWASP Top Ten 2004 Category A9 - Denial of Service
MemberOfProhibitedC855The CERT Oracle Secure Coding Standard for Java (2011) Chapter 12 - Thread Pools (TPS)
MemberOfProhibitedC977SFP Secondary Cluster: Design
MemberOfProhibitedC1145SEI CERT Oracle Secure Coding Standard for Java - Guidelines 11. Thread Pools (TPS)
MemberOfProhibitedC1416Comprehensive Categorization: Resource Lifecycle Management
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 399
Name: Resource Management Errors
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 730
Name: OWASP Top Ten 2004 Category A9 - Denial of Service
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 855
Name: The CERT Oracle Secure Coding Standard for Java (2011) Chapter 12 - Thread Pools (TPS)
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 977
Name: SFP Secondary Cluster: Design
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1145
Name: SEI CERT Oracle Secure Coding Standard for Java - Guidelines 11. Thread Pools (TPS)
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1416
Name: Comprehensive Categorization: Resource Lifecycle Management
▼Tags
NatureMappingTypeIDName
MemberOfProhibitedBSBOSS-294Not Language-Specific Weaknesses
MemberOfProhibitedBSBOSS-312Other (impact)
MemberOfProhibitedBSBOSS-324DoS: Crash, Exit, or Restart (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-294
Name: Not Language-Specific Weaknesses
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-312
Name: Other (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-324
Name: DoS: Crash, Exit, or Restart (impact)
▼Relevant To View
Relevant to the view"Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java - (1133)"
NatureMappingTypeIDName
MemberOfProhibitedC1145SEI CERT Oracle Secure Coding Standard for Java - Guidelines 11. Thread Pools (TPS)
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1145
Name: SEI CERT Oracle Secure Coding Standard for Java - Guidelines 11. Thread Pools (TPS)
Relevant to the view"Software Development - (699)"
NatureMappingTypeIDName
MemberOfProhibitedC399Resource Management Errors
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 399
Name: Resource Management Errors
Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"
NatureMappingTypeIDName
MemberOfProhibitedC977SFP Secondary Cluster: Design
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 977
Name: SFP Secondary Cluster: Design
▼Background Detail

▼Common Consequences
ScopeLikelihoodImpactNote
AvailabilityIntegrityOtherN/ADoS: Crash, Exit, or RestartOther

Floods often cause a crash or other problem besides denial of the resource itself; these are likely examples of *other* vulnerabilities, not an insufficient resource pool.

Scope: Availability, Integrity, Other
Likelihood: N/A
Impact: DoS: Crash, Exit, or Restart, Other
Note:

Floods often cause a crash or other problem besides denial of the resource itself; these are likely examples of *other* vulnerabilities, not an insufficient resource pool.

▼Potential Mitigations
Phase:Architecture and Design
Mitigation ID:
Strategy:
Effectiveness:
Description:

Do not perform resource-intensive transactions for unauthenticated users and/or invalid requests.

Note:

Phase:Architecture and Design
Mitigation ID:
Strategy:
Effectiveness:
Description:

Consider implementing a velocity check mechanism which would detect abusive behavior.

Note:

Phase:Operation
Mitigation ID:
Strategy:
Effectiveness:
Description:

Consider load balancing as an option to handle heavy loads.

Note:

Phase:Implementation
Mitigation ID:
Strategy:
Effectiveness:
Description:

Make sure that resource handles are properly closed when no longer needed.

Note:

Phase:Architecture and Design
Mitigation ID:
Strategy:
Effectiveness:
Description:

Identify the system's resource intensive operations and consider protecting them from abuse (e.g. malicious automated script which runs the resources out).

Note:

▼Modes Of Introduction
Phase: Architecture and Design
Note:

N/A

Phase: Implementation
Note:

N/A

Phase: Operation
Note:

N/A

▼Applicable Platforms
Languages
Class: Not Language-Specific(Undetermined Prevalence)
▼Demonstrative Examples
Example 1

In the following snippet from a Tomcat configuration file, a JDBC connection pool is defined with a maximum of 5 simultaneous connections (with a 60 second timeout). In this case, it may be trivial for an attacker to instigate a denial of service (DoS) by using up all of the available connections in the pool.

Language: ( code)
N/A

Language: XML(Bad code)
<Resource name="jdbc/exampledb" auth="Container" type="javax.sql.DataSource" removeAbandoned="true" removeAbandonedTimeout="30" maxActive="5" maxIdle="5" maxWait="60000" username="testuser" password="testpass" driverClassName="com.mysql.jdbc.Driver" url="jdbc:mysql://localhost/exampledb"/>

▼Observed Examples
ReferenceDescription
CVE-1999-1363
Large number of locks on file exhausts the pool and causes crash.
CVE-2001-1340
Product supports only one connection and does not disconnect a user who does not provide credentials.
CVE-2002-0406
Large number of connections without providing credentials allows connection exhaustion.
Reference: CVE-1999-1363
Description:
Large number of locks on file exhausts the pool and causes crash.
Reference: CVE-2001-1340
Description:
Product supports only one connection and does not disconnect a user who does not provide credentials.
Reference: CVE-2002-0406
Description:
Large number of connections without providing credentials allows connection exhaustion.
▼Affected Resources
    ▼Functional Areas
      ▼Weakness Ordinalities
      OrdinalityDescription
      ▼Detection Methods
      ▼Vulnerability Mapping Notes
      Usage:Allowed
      Reason:Acceptable-Use
      Rationale:

      This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

      Comments:

      Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

      Suggestions:
      ▼Notes
      ▼Taxonomy Mappings
      Taxonomy NameEntry IDFitEntry Name
      PLOVERN/AN/AInsufficient Resource Pool
      OWASP Top Ten 2004A9CWE More SpecificDenial of Service
      The CERT Oracle Secure Coding Standard for Java (2011)TPS00-JN/AUse thread pools to enable graceful degradation of service during traffic bursts
      Taxonomy Name: PLOVER
      Entry ID: N/A
      Fit: N/A
      Entry Name: Insufficient Resource Pool
      Taxonomy Name: OWASP Top Ten 2004
      Entry ID: A9
      Fit: CWE More Specific
      Entry Name: Denial of Service
      Taxonomy Name: The CERT Oracle Secure Coding Standard for Java (2011)
      Entry ID: TPS00-J
      Fit: N/A
      Entry Name: Use thread pools to enable graceful degradation of service during traffic bursts
      ▼Related Attack Patterns
      IDName
      ▼References
      Reference ID: REF-7
      Title: Writing Secure Code
      Author: Michael Howard, David LeBlanc
      Section: Chapter 17, "Protecting Against Denial of Service Attacks" Page 517
      Publication:
      Publisher:Microsoft Press
      Edition:2nd Edition
      URL:https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223
      URL Date:
      Day:04
      Month:12
      Year:2002
      Details not found