CWE-410 不充分的资源池
Insufficient Resource Pool
结构: Simple
Abstraction: Base
状态: Incomplete
被利用可能性: unkown
基本描述
The software's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.
扩展描述
Frequently the consequence is a "flood" of connection or sessions.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 664 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: CanPrecede cwe_CWE_ID: 400 cwe_View_ID: 1000
-
cwe_Nature: CanPrecede cwe_CWE_ID: 400 cwe_View_ID: 699
适用平台
Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| ['Availability', 'Integrity', 'Other'] | ['DoS: Crash, Exit, or Restart', 'Other'] | Floods often cause a crash or other problem besides denial of the resource itself; these are likely examples of other vulnerabilities, not an insufficient resource pool. |
可能的缓解方案
Architecture and Design
策略:
Do not perform resource-intensive transactions for unauthenticated users and/or invalid requests.
Architecture and Design
策略:
Consider implementing a velocity check mechanism which would detect abusive behavior.
Operation
策略:
Consider load balancing as an option to handle heavy loads.
Implementation
策略:
Make sure that resource handles are properly closed when no longer needed.
Architecture and Design
策略:
Identify the system's resource intensive operations and consider protecting them from abuse (e.g. malicious automated script which runs the resources out).
示例代码
例
In the following snippet from a Tomcat configuration file, a JDBC connection pool is defined with a maximum of 5 simultaneous connections (with a 60 second timeout). In this case, it may be trivial for an attacker to instigate a denial of service (DoS) by using up all of the available connections in the pool.
bad XML
auth="Container"
type="javax.sql.DataSource"
removeAbandoned="true"
removeAbandonedTimeout="30"
maxActive="5"
maxIdle="5"
maxWait="60000"
username="testuser"
password="testpass"
driverClassName="com.mysql.jdbc.Driver"
url="jdbc:mysql://localhost/exampledb"/>
分析过的案例
| 标识 | 说明 | 链接 |
|---|---|---|
| CVE-1999-1363 | Large number of locks on file exhausts the pool and causes crash. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1363 |
| CVE-2001-1340 | Product supports only one connection and does not disconnect a user who does not provide credentials. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1340 |
| CVE-2002-0406 | Large number of connections without providing credentials allows connection exhaustion. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0406 |
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| PLOVER | Insufficient Resource Pool | ||
| OWASP Top Ten 2004 | A9 | CWE More Specific | Denial of Service |
| The CERT Oracle Secure Coding Standard for Java (2011) | TPS00-J | Use thread pools to enable graceful degradation of service during traffic bursts |