Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-771:Missing Reference to Active Allocated Resource
Weakness ID:771
Version:v4.17
Weakness Name:Missing Reference to Active Allocated Resource
Vulnerability Mapping:Allowed
Abstraction:Base
Structure:Simple
Status:Incomplete
Likelihood of Exploit:Medium
DetailsContent HistoryObserved CVE ExamplesReports
▼Description

The product does not properly maintain a reference to a resource that has been allocated, which prevents the resource from being reclaimed.

▼Extended Description

This does not necessarily apply in languages or frameworks that automatically perform garbage collection, since the removal of all references may act as a signal that the resource is ready to be reclaimed.

▼Alternate Terms
▼Relationships
Relevant to the view"Research Concepts - (1000)"
NatureMappingTypeIDName
ChildOfDiscouragedC400Uncontrolled Resource Consumption
ParentOfAllowedV773Missing Reference to Active File Descriptor or Handle
Nature: ChildOf
Mapping: Discouraged
Type: Class
ID: 400
Name: Uncontrolled Resource Consumption
Nature: ParentOf
Mapping: Allowed
Type: Variant
ID: 773
Name: Missing Reference to Active File Descriptor or Handle
▼Memberships
NatureMappingTypeIDName
MemberOfProhibitedC399Resource Management Errors
MemberOfProhibitedC982SFP Secondary Cluster: Failure to Release Resource
MemberOfProhibitedC1162SEI CERT C Coding Standard - Guidelines 08. Memory Management (MEM)
MemberOfProhibitedC1163SEI CERT C Coding Standard - Guidelines 09. Input Output (FIO)
MemberOfProhibitedC1416Comprehensive Categorization: Resource Lifecycle Management
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 399
Name: Resource Management Errors
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 982
Name: SFP Secondary Cluster: Failure to Release Resource
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1162
Name: SEI CERT C Coding Standard - Guidelines 08. Memory Management (MEM)
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1163
Name: SEI CERT C Coding Standard - Guidelines 09. Input Output (FIO)
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1416
Name: Comprehensive Categorization: Resource Lifecycle Management
▼Tags
NatureMappingTypeIDName
MemberOfProhibitedBSBOSS-273Medium likelihood of exploit
MemberOfProhibitedBSBOSS-289Resource Limitation Strategy
MemberOfProhibitedBSBOSS-333DoS: Resource Consumption (Other) (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-273
Name: Medium likelihood of exploit
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-289
Name: Resource Limitation Strategy
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-333
Name: DoS: Resource Consumption (Other) (impact)
▼Relevant To View
Relevant to the view"Weaknesses Addressed by the SEI CERT C Coding Standard - (1154)"
NatureMappingTypeIDName
MemberOfProhibitedC1162SEI CERT C Coding Standard - Guidelines 08. Memory Management (MEM)
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1162
Name: SEI CERT C Coding Standard - Guidelines 08. Memory Management (MEM)
Relevant to the view"Weaknesses Addressed by the SEI CERT C Coding Standard - (1154)"
NatureMappingTypeIDName
MemberOfProhibitedC1163SEI CERT C Coding Standard - Guidelines 09. Input Output (FIO)
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1163
Name: SEI CERT C Coding Standard - Guidelines 09. Input Output (FIO)
Relevant to the view"Software Development - (699)"
NatureMappingTypeIDName
MemberOfProhibitedC399Resource Management Errors
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 399
Name: Resource Management Errors
Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"
NatureMappingTypeIDName
MemberOfProhibitedC982SFP Secondary Cluster: Failure to Release Resource
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 982
Name: SFP Secondary Cluster: Failure to Release Resource
▼Background Detail

▼Common Consequences
ScopeLikelihoodImpactNote
AvailabilityN/ADoS: Resource Consumption (Other)

An attacker that can influence the allocation of resources that are not properly maintained could deplete the available resource pool and prevent all other processes from accessing the same type of resource.

Scope: Availability
Likelihood: N/A
Impact: DoS: Resource Consumption (Other)
Note:

An attacker that can influence the allocation of resources that are not properly maintained could deplete the available resource pool and prevent all other processes from accessing the same type of resource.

▼Potential Mitigations
Phase:Operation, Architecture and Design
Mitigation ID: MIT-47
Strategy: Resource Limitation
Effectiveness:
Description:

Use resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resources, and getrlimit() can determine how many resources are available. However, these functions are not available on all operating systems.

When the current levels get close to the maximum that is defined for the application (see CWE-770), then limit the allocation of further resources to privileged users; alternately, begin releasing resources for less-privileged users. While this mitigation may protect the system from attack, it will not necessarily stop attackers from adversely impacting other users.

Ensure that the application performs the appropriate error checks and error handling in case resources become unavailable (CWE-703).

Note:

▼Modes Of Introduction
Phase: Implementation
Note:

N/A

▼Applicable Platforms
▼Demonstrative Examples
▼Observed Examples
ReferenceDescription
▼Affected Resources
    ▼Functional Areas
      ▼Weakness Ordinalities
      OrdinalityDescription
      ▼Detection Methods
      ▼Vulnerability Mapping Notes
      Usage:Allowed
      Reason:Acceptable-Use
      Rationale:

      This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

      Comments:

      Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

      Suggestions:
      ▼Notes
      ▼Taxonomy Mappings
      Taxonomy NameEntry IDFitEntry Name
      CERT C Secure CodingFIO42-CCWE More AbstractClose files when they are no longer needed
      CERT C Secure CodingMEM31-CCWE More AbstractFree dynamically allocated memory when no longer needed
      Software Fault PatternsSFP14N/AFailure to Release Resource
      ISA/IEC 62443Part 3-3N/AReq SR 7.2
      ISA/IEC 62443Part 4-1N/AReq SVV-1
      ISA/IEC 62443Part 4-2N/AReq CR 7.2
      Taxonomy Name: CERT C Secure Coding
      Entry ID: FIO42-C
      Fit: CWE More Abstract
      Entry Name: Close files when they are no longer needed
      Taxonomy Name: CERT C Secure Coding
      Entry ID: MEM31-C
      Fit: CWE More Abstract
      Entry Name: Free dynamically allocated memory when no longer needed
      Taxonomy Name: Software Fault Patterns
      Entry ID: SFP14
      Fit: N/A
      Entry Name: Failure to Release Resource
      Taxonomy Name: ISA/IEC 62443
      Entry ID: Part 3-3
      Fit: N/A
      Entry Name: Req SR 7.2
      Taxonomy Name: ISA/IEC 62443
      Entry ID: Part 4-1
      Fit: N/A
      Entry Name: Req SVV-1
      Taxonomy Name: ISA/IEC 62443
      Entry ID: Part 4-2
      Fit: N/A
      Entry Name: Req CR 7.2
      ▼Related Attack Patterns
      IDName
      ▼References
      Details not found