CWE-410 不充分的资源池

admin 2022年1月5日20:59:29CWE(弱点枚举)评论10 views2564字阅读8分32秒阅读模式

CWE-410 不充分的资源池

Insufficient Resource Pool

结构: Simple

Abstraction: Base

状态: Incomplete

被利用可能性: unkown

基本描述

The software's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.

扩展描述

Frequently the consequence is a "flood" of connection or sessions.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 664 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: CanPrecede cwe_CWE_ID: 400 cwe_View_ID: 1000

  • cwe_Nature: CanPrecede cwe_CWE_ID: 400 cwe_View_ID: 699

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
['Availability', 'Integrity', 'Other'] ['DoS: Crash, Exit, or Restart', 'Other'] Floods often cause a crash or other problem besides denial of the resource itself; these are likely examples of other vulnerabilities, not an insufficient resource pool.

可能的缓解方案

Architecture and Design

策略:

Do not perform resource-intensive transactions for unauthenticated users and/or invalid requests.

Architecture and Design

策略:

Consider implementing a velocity check mechanism which would detect abusive behavior.

Operation

策略:

Consider load balancing as an option to handle heavy loads.

Implementation

策略:

Make sure that resource handles are properly closed when no longer needed.

Architecture and Design

策略:

Identify the system's resource intensive operations and consider protecting them from abuse (e.g. malicious automated script which runs the resources out).

示例代码

In the following snippet from a Tomcat configuration file, a JDBC connection pool is defined with a maximum of 5 simultaneous connections (with a 60 second timeout). In this case, it may be trivial for an attacker to instigate a denial of service (DoS) by using up all of the available connections in the pool.

bad XML

auth="Container"
type="javax.sql.DataSource"
removeAbandoned="true"
removeAbandonedTimeout="30"
maxActive="5"
maxIdle="5"
maxWait="60000"
username="testuser"
password="testpass"
driverClassName="com.mysql.jdbc.Driver"
url="jdbc:mysql://localhost/exampledb"/>

分析过的案例

标识 说明 链接
CVE-1999-1363 Large number of locks on file exhausts the pool and causes crash. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1363
CVE-2001-1340 Product supports only one connection and does not disconnect a user who does not provide credentials. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1340
CVE-2002-0406 Large number of connections without providing credentials allows connection exhaustion. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0406

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
PLOVER Insufficient Resource Pool
OWASP Top Ten 2004 A9 CWE More Specific Denial of Service
The CERT Oracle Secure Coding Standard for Java (2011) TPS00-J Use thread pools to enable graceful degradation of service during traffic bursts

引用

文章来源于互联网:scap中文网

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年1月5日20:59:29
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  CWE-410 不充分的资源池 http://cn-sec.com/archives/612862.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: