CWE-410 Detail

CWE-410

Name

Insufficient Resource Pool

Status

Incomplete

Published

2006-07-19
00h00 +00:00

Modified

2023-06-29
00h00 +00:00

Official links

CWE Mitre.org

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Notifications manage

List of Notifications

Notifications for a CWE

Stay informed of any changes for a specific CWE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CWE ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Name: Insufficient Resource Pool

The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.

CWE Description

Frequently the consequence is a "flood" of connection or sessions.

General Informations

Modes Of Introduction

Architecture and Design
Implementation
Operation

Applicable Platforms

Language

Class: Not Language-Specific (Undetermined)

Common Consequences

Scope	Impact	Likelihood
Availability Integrity Other	DoS: Crash, Exit, or Restart, Other Note: Floods often cause a crash or other problem besides denial of the resource itself; these are likely examples of other vulnerabilities, not an insufficient resource pool.

Observed Examples

References	Description
CVE-1999-1363	Large number of locks on file exhausts the pool and causes crash.
CVE-2001-1340	Product supports only one connection and does not disconnect a user who does not provide credentials.
CVE-2002-0406	Large number of connections without providing credentials allows connection exhaustion.

Potential Mitigations

Phases : Architecture and Design
Do not perform resource-intensive transactions for unauthenticated users and/or invalid requests.
Phases : Architecture and Design
Consider implementing a velocity check mechanism which would detect abusive behavior.
Phases : Operation
Consider load balancing as an option to handle heavy loads.
Phases : Implementation
Make sure that resource handles are properly closed when no longer needed.
Phases : Architecture and Design
Identify the system's resource intensive operations and consider protecting them from abuse (e.g. malicious automated script which runs the resources out).

Vulnerability Mapping Notes

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

References

REF-7

Writing Secure Code
Michael Howard, David LeBlanc.
https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223

Submission

Name	Organization	Date	Date release	Version
PLOVER		2006-07-19 +00:00	2006-07-19 +00:00	Draft 3

Modifications

Name	Organization	Date	Comment
Sean Eidemiller	Cigital	2008-07-01 +00:00	added/updated demonstrative examples
Eric Dalci	Cigital	2008-07-01 +00:00	updated Potential_Mitigations, Time_of_Introduction
CWE Content Team	MITRE	2008-09-08 +00:00	updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings
CWE Content Team	MITRE	2008-10-14 +00:00	updated Description, Relationships
CWE Content Team	MITRE	2009-07-27 +00:00	updated Demonstrative_Examples
CWE Content Team	MITRE	2009-10-29 +00:00	updated Common_Consequences
CWE Content Team	MITRE	2010-02-16 +00:00	updated References
CWE Content Team	MITRE	2011-06-01 +00:00	updated Common_Consequences, Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2012-05-11 +00:00	updated Relationships
CWE Content Team	MITRE	2012-10-30 +00:00	updated Potential_Mitigations
CWE Content Team	MITRE	2014-06-23 +00:00	updated Other_Notes, Potential_Mitigations
CWE Content Team	MITRE	2014-07-30 +00:00	updated Relationships
CWE Content Team	MITRE	2017-11-08 +00:00	updated Applicable_Platforms, Functional_Areas, References
CWE Content Team	MITRE	2018-03-27 +00:00	updated References
CWE Content Team	MITRE	2019-01-03 +00:00	updated Relationships, Taxonomy_Mappings
CWE Content Team	MITRE	2020-02-24 +00:00	updated Relationships
CWE Content Team	MITRE	2023-01-31 +00:00	updated Description
CWE Content Team	MITRE	2023-04-27 +00:00	updated Relationships
CWE Content Team	MITRE	2023-06-29 +00:00	updated Mapping_Notes