CWE-1322 Détail de la faiblesse

CWE-1322

Nom

Use of Blocking Code in Single-threaded, Non-blocking Context

Statut

Incomplete

Publié

2020-12-10
00h00 +00:00

Modifié

2023-06-29
00h00 +00:00

Liens officiels

CWE Mitre.org

Notifications pour un CWE

Restez informé de toutes modifications pour un CWE spécifique.

Gestion des notifications

Liste des Notifications

Notifications pour un CWE

Restez informé de toutes modifications pour un CWE spécifique.

Paramètres

Vous pouvez spécifier un titre qui sera récupéré dans les alertes qui seront envoyées.

Spécifiez le CWE ID que vous désirez surveiller.

Planifications

Mois

Prochaine exécution calculée

Jour

Jour de la semaine

Heure

Minute

Date de création

Dernière exécution

Prochaine exécution

Fonctionnalité nécessitant une connexion

Cette fonctionnalité qui vous permet de recevoir des alertes, n'est active que lorsque vous êtes connecté à votre compte.

Nom: Use of Blocking Code in Single-threaded, Non-blocking Context

The product uses a non-blocking model that relies on a single threaded process for features such as scalability, but it contains code that can block when it is invoked.

Description du CWE

When an attacker can directly invoke the blocking code, or the blocking code can be affected by environmental conditions that can be influenced by an attacker, then this can lead to a denial of service by causing unexpected hang or freeze of the code. Examples of blocking code might be an expensive computation or calling blocking library calls, such as those that perform exclusive file operations or require a successful network operation.

Due to limitations in multi-thread models, single-threaded models are used to overcome the resource constraints that are caused by using many threads. In such a model, all code should generally be non-blocking. If blocking code is called, then the event loop will effectively be stopped, which can be undesirable or dangerous. Such models are used in Python asyncio, Vert.x, and Node.js, or other custom event loop code.

Informations générales

Modes d'introduction

Implementation

Conséquences courantes

Portée	Impact	Probabilité
Availability	DoS: Resource Consumption (CPU) Note: An unexpected call to blocking code can trigger an infinite loop, or a large loop that causes the software to pause and wait indefinitely.

Mesures d’atténuation potentielles

Phases : Implementation
Generally speaking, blocking calls should be replaced with non-blocking alternatives that can be used asynchronously. Expensive computations should be passed off to worker threads, although the correct approach depends on the framework being used.
Phases : Implementation
For expensive computations, consider breaking them up into multiple smaller computations. Refer to the documentation of the framework being used for guidance.

Notes de cartographie des vulnérabilités

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Modèles d'attaque associés

CAPEC-ID	Nom du modèle d'attaque
CAPEC-25	Forced Deadlock The adversary triggers and exploits a deadlock condition in the target software to cause a denial of service. A deadlock can occur when two or more competing actions are waiting for each other to finish, and thus neither ever does. Deadlock conditions can be difficult to detect.

Soumission

Nom	Organisation	Date	Date de publication	Version
Joe Harvey		2019-10-25 +00:00	2020-12-10 +00:00	4.3

Modifications

Nom	Organisation	Date	Commentaire
CWE Content Team	MITRE	2023-04-27 +00:00	updated Relationships
CWE Content Team	MITRE	2023-06-29 +00:00	updated Mapping_Notes

Détail du CWE-1322