Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-459:Incomplete Cleanup
Weakness ID:459
Version:v4.17
Weakness Name:Incomplete Cleanup
Vulnerability Mapping:Allowed
Abstraction:Base
Structure:Simple
Status:Draft
Likelihood of Exploit:
DetailsContent HistoryObserved CVE ExamplesReports
▼Description

The product does not properly "clean up" and remove temporary or supporting resources after they have been used.

▼Extended Description

▼Alternate Terms
Insufficient Cleanup

▼Relationships
Relevant to the view"Research Concepts - (1000)"
NatureMappingTypeIDName
ChildOfAllowed-with-ReviewC404Improper Resource Shutdown or Release
ParentOfAllowedB226Sensitive Information in Resource Not Removed Before Reuse
ParentOfAllowedB460Improper Cleanup on Thrown Exception
ParentOfAllowedV568finalize() Method Without super.finalize()
Nature: ChildOf
Mapping: Allowed-with-Review
Type: Class
ID: 404
Name: Improper Resource Shutdown or Release
Nature: ParentOf
Mapping: Allowed
Type: Base
ID: 226
Name: Sensitive Information in Resource Not Removed Before Reuse
Nature: ParentOf
Mapping: Allowed
Type: Base
ID: 460
Name: Improper Cleanup on Thrown Exception
Nature: ParentOf
Mapping: Allowed
Type: Variant
ID: 568
Name: finalize() Method Without super.finalize()
▼Memberships
NatureMappingTypeIDName
MemberOfProhibitedC452Initialization and Cleanup Errors
MemberOfProhibitedC731OWASP Top Ten 2004 Category A10 - Insecure Configuration Management
MemberOfProhibitedC857The CERT Oracle Secure Coding Standard for Java (2011) Chapter 14 - Input Output (FIO)
MemberOfProhibitedC982SFP Secondary Cluster: Failure to Release Resource
MemberOfProhibitedC1141SEI CERT Oracle Secure Coding Standard for Java - Guidelines 07. Exceptional Behavior (ERR)
MemberOfProhibitedC1147SEI CERT Oracle Secure Coding Standard for Java - Guidelines 13. Input Output (FIO)
MemberOfProhibitedC1162SEI CERT C Coding Standard - Guidelines 08. Memory Management (MEM)
MemberOfProhibitedC1163SEI CERT C Coding Standard - Guidelines 09. Input Output (FIO)
MemberOfProhibitedC1306CISQ Quality Measures - Reliability
MemberOfProhibitedC1416Comprehensive Categorization: Resource Lifecycle Management
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 452
Name: Initialization and Cleanup Errors
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 731
Name: OWASP Top Ten 2004 Category A10 - Insecure Configuration Management
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 857
Name: The CERT Oracle Secure Coding Standard for Java (2011) Chapter 14 - Input Output (FIO)
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 982
Name: SFP Secondary Cluster: Failure to Release Resource
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1141
Name: SEI CERT Oracle Secure Coding Standard for Java - Guidelines 07. Exceptional Behavior (ERR)
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1147
Name: SEI CERT Oracle Secure Coding Standard for Java - Guidelines 13. Input Output (FIO)
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1162
Name: SEI CERT C Coding Standard - Guidelines 08. Memory Management (MEM)
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1163
Name: SEI CERT C Coding Standard - Guidelines 09. Input Output (FIO)
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1306
Name: CISQ Quality Measures - Reliability
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1416
Name: Comprehensive Categorization: Resource Lifecycle Management
▼Tags
NatureMappingTypeIDName
MemberOfProhibitedBSBOSS-294Not Language-Specific Weaknesses
MemberOfProhibitedBSBOSS-312Other (impact)
MemberOfProhibitedBSBOSS-318Modify Application Data (impact)
MemberOfProhibitedBSBOSS-328Read Application Data (impact)
MemberOfProhibitedBSBOSS-333DoS: Resource Consumption (Other) (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-294
Name: Not Language-Specific Weaknesses
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-312
Name: Other (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-318
Name: Modify Application Data (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-328
Name: Read Application Data (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-333
Name: DoS: Resource Consumption (Other) (impact)
▼Relevant To View
Relevant to the view"Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java - (1133)"
NatureMappingTypeIDName
MemberOfProhibitedC1141SEI CERT Oracle Secure Coding Standard for Java - Guidelines 07. Exceptional Behavior (ERR)
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1141
Name: SEI CERT Oracle Secure Coding Standard for Java - Guidelines 07. Exceptional Behavior (ERR)
Relevant to the view"Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java - (1133)"
NatureMappingTypeIDName
MemberOfProhibitedC1147SEI CERT Oracle Secure Coding Standard for Java - Guidelines 13. Input Output (FIO)
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1147
Name: SEI CERT Oracle Secure Coding Standard for Java - Guidelines 13. Input Output (FIO)
Relevant to the view"Weaknesses Addressed by the SEI CERT C Coding Standard - (1154)"
NatureMappingTypeIDName
MemberOfProhibitedC1162SEI CERT C Coding Standard - Guidelines 08. Memory Management (MEM)
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1162
Name: SEI CERT C Coding Standard - Guidelines 08. Memory Management (MEM)
Relevant to the view"Weaknesses Addressed by the SEI CERT C Coding Standard - (1154)"
NatureMappingTypeIDName
MemberOfProhibitedC1163SEI CERT C Coding Standard - Guidelines 09. Input Output (FIO)
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1163
Name: SEI CERT C Coding Standard - Guidelines 09. Input Output (FIO)
Relevant to the view"CISQ Quality Measures (2020) - (1305)"
NatureMappingTypeIDName
MemberOfProhibitedC1306CISQ Quality Measures - Reliability
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1306
Name: CISQ Quality Measures - Reliability
Relevant to the view"Software Development - (699)"
NatureMappingTypeIDName
MemberOfProhibitedC452Initialization and Cleanup Errors
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 452
Name: Initialization and Cleanup Errors
Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"
NatureMappingTypeIDName
MemberOfProhibitedC982SFP Secondary Cluster: Failure to Release Resource
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 982
Name: SFP Secondary Cluster: Failure to Release Resource
▼Background Detail

▼Common Consequences
ScopeLikelihoodImpactNote
OtherConfidentialityIntegrityN/AOtherRead Application DataModify Application DataDoS: Resource Consumption (Other)

It is possible to overflow the number of temporary files because directories typically have limits on the number of files allowed. This could create a denial of service problem.

Scope: Other, Confidentiality, Integrity
Likelihood: N/A
Impact: Other, Read Application Data, Modify Application Data, DoS: Resource Consumption (Other)
Note:

It is possible to overflow the number of temporary files because directories typically have limits on the number of files allowed. This could create a denial of service problem.

▼Potential Mitigations
Phase:Architecture and Design, Implementation
Mitigation ID:
Strategy:
Effectiveness:
Description:

Temporary files and other supporting resources should be deleted/released immediately after they are no longer needed.

Note:

▼Modes Of Introduction
Phase: Implementation
Note:

N/A

▼Applicable Platforms
Languages
Class: Not Language-Specific(Undetermined Prevalence)
▼Demonstrative Examples
Example 1

Stream resources in a Java application should be released in a finally block, otherwise an exception thrown before the call to close() would result in an unreleased I/O resource. In the example below, the close() method is called in the try block (incorrect).

Language: ( code)
N/A

Language: Java(Bad code)
try { InputStream is = new FileInputStream(path); byte b[] = new byte[is.available()]; is.read(b); is.close(); } catch (Throwable t) { log.error("Something bad happened: " + t.getMessage()); }

▼Observed Examples
ReferenceDescription
CVE-2000-0552
World-readable temporary file not deleted after use.
CVE-2005-2293
Temporary file not deleted after use, leaking database usernames and passwords.
CVE-2002-0788
Interaction error creates a temporary file that can not be deleted due to strong permissions.
CVE-2002-2066
Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak).
CVE-2002-2067
Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak).
CVE-2002-2068
Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak).
CVE-2002-2069
Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak).
CVE-2002-2070
Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak).
CVE-2005-1744
Users not logged out when application is restarted after security-relevant changes were made.
Reference: CVE-2000-0552
Description:
World-readable temporary file not deleted after use.
Reference: CVE-2005-2293
Description:
Temporary file not deleted after use, leaking database usernames and passwords.
Reference: CVE-2002-0788
Description:
Interaction error creates a temporary file that can not be deleted due to strong permissions.
Reference: CVE-2002-2066
Description:
Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak).
Reference: CVE-2002-2067
Description:
Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak).
Reference: CVE-2002-2068
Description:
Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak).
Reference: CVE-2002-2069
Description:
Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak).
Reference: CVE-2002-2070
Description:
Alternate data streams for NTFS files are not cleared when files are wiped (alternate channel / infoleak).
Reference: CVE-2005-1744
Description:
Users not logged out when application is restarted after security-relevant changes were made.
▼Affected Resources
    ▼Functional Areas
    • File Processing
    ▼Weakness Ordinalities
    OrdinalityDescription
    ▼Detection Methods
    Automated Static Analysis
    Detection Method ID:DM-14
    Description:

    Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

    Effectiveness:High
    Note:

    N/A

    ▼Vulnerability Mapping Notes
    Usage:Allowed
    Reason:Acceptable-Use
    Rationale:

    This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

    Comments:

    Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

    Suggestions:
    ▼Notes
    Relationship

    CWE-459 is a child of CWE-404 because, while CWE-404 covers any type of improper shutdown or release of a resource, CWE-459 deals specifically with a multi-step shutdown process in which a crucial step for "proper" cleanup is omitted or impossible. That is, CWE-459 deals specifically with a cleanup or shutdown process that does not successfully remove all potentially sensitive data.

    N/A

    Relationship

    Overlaps other categories such as permissions and containment. Concept needs further development. This could be primary (e.g. leading to infoleak) or resultant (e.g. resulting from unhandled error conditions or early termination).

    N/A

    ▼Taxonomy Mappings
    Taxonomy NameEntry IDFitEntry Name
    PLOVERN/AN/AIncomplete Cleanup
    OWASP Top Ten 2004A10CWE More SpecificInsecure Configuration Management
    CERT C Secure CodingFIO42-CCWE More AbstractClose files when they are no longer needed
    CERT C Secure CodingMEM31-CCWE More AbstractFree dynamically allocated memory when no longer needed
    The CERT Oracle Secure Coding Standard for Java (2011)FIO04-JN/ARelease resources when they are no longer needed
    The CERT Oracle Secure Coding Standard for Java (2011)FIO00-JN/ADo not operate on files in shared directories
    Software Fault PatternsSFP14N/AFailure to release resource
    Taxonomy Name: PLOVER
    Entry ID: N/A
    Fit: N/A
    Entry Name: Incomplete Cleanup
    Taxonomy Name: OWASP Top Ten 2004
    Entry ID: A10
    Fit: CWE More Specific
    Entry Name: Insecure Configuration Management
    Taxonomy Name: CERT C Secure Coding
    Entry ID: FIO42-C
    Fit: CWE More Abstract
    Entry Name: Close files when they are no longer needed
    Taxonomy Name: CERT C Secure Coding
    Entry ID: MEM31-C
    Fit: CWE More Abstract
    Entry Name: Free dynamically allocated memory when no longer needed
    Taxonomy Name: The CERT Oracle Secure Coding Standard for Java (2011)
    Entry ID: FIO04-J
    Fit: N/A
    Entry Name: Release resources when they are no longer needed
    Taxonomy Name: The CERT Oracle Secure Coding Standard for Java (2011)
    Entry ID: FIO00-J
    Fit: N/A
    Entry Name: Do not operate on files in shared directories
    Taxonomy Name: Software Fault Patterns
    Entry ID: SFP14
    Fit: N/A
    Entry Name: Failure to release resource
    ▼Related Attack Patterns
    IDName
    ▼References
    Details not found