CWE-410
Alerte pour un CWE
Stay informed of any changes for a specific CWE.
Insufficient Resource Pool
The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.
Extended Description
Frequently the consequence is a "flood" of connection or sessions.
Informations
Modes Of Introduction
Architecture and DesignImplementation
Operation
Applicable Platforms
Language
Class: Not Language-Specific (Undetermined)Common Consequences
| Scope | Impact | Likelihood |
|---|---|---|
| Availability Integrity Other | DoS: Crash, Exit, or Restart, Other Note: Floods often cause a crash or other problem besides denial of the resource itself; these are likely examples of *other* vulnerabilities, not an insufficient resource pool. |
Observed Examples
| Reference | Description |
|---|---|
| Large number of locks on file exhausts the pool and causes crash. | |
| Product supports only one connection and does not disconnect a user who does not provide credentials. | |
| Large number of connections without providing credentials allows connection exhaustion. |
Potential Mitigations
Phases : Architecture and DesignDo not perform resource-intensive transactions for unauthenticated users and/or invalid requests.
Phases : Architecture and Design
Consider implementing a velocity check mechanism which would detect abusive behavior.
Phases : Operation
Consider load balancing as an option to handle heavy loads.
Phases : Implementation
Make sure that resource handles are properly closed when no longer needed.
Phases : Architecture and Design
Identify the system's resource intensive operations and consider protecting them from abuse (e.g. malicious automated script which runs the resources out).
Vulnerability Mapping Notes
Rationale : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Comments : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
References
REF-7
Writing Secure CodeMichael Howard, David LeBlanc.
https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223
Submission
| Name | Organization | Date | Date Release | Version |
|---|---|---|---|---|
| PLOVER | Draft 3 |
Modifications
| Name | Organization | Date | Comment |
|---|---|---|---|
| Sean Eidemiller | Cigital | added/updated demonstrative examples | |
| Eric Dalci | Cigital | updated Potential_Mitigations, Time_of_Introduction | |
| CWE Content Team | MITRE | updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Description, Relationships | |
| CWE Content Team | MITRE | updated Demonstrative_Examples | |
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated References | |
| CWE Content Team | MITRE | updated Common_Consequences, Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Potential_Mitigations | |
| CWE Content Team | MITRE | updated Other_Notes, Potential_Mitigations | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Functional_Areas, References | |
| CWE Content Team | MITRE | updated References | |
| CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Description | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes |
2024©
tesweb SA
