CWE-410: Insufficient Resource Pool

Description

The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.

Extended Description

Frequently the consequence is a "flood" of connection or sessions.

ThreatScore

Threat Mapped score: 1.8

Industry: Finiancial

Threat priority: P4 - Informational (Low)

Observed Examples (CVEs)

CVE: CVE-1999-1363

Large number of locks on file exhausts the pool and causes crash.
CVE: CVE-2001-1340

Product supports only one connection and does not disconnect a user who does not provide credentials.
CVE: CVE-2002-0406

Large number of connections without providing credentials allows connection exhaustion.

Related Attack Patterns (CAPEC)

N/A

Attack TTPs

N/A

Modes of Introduction

Phase	Note
Architecture and Design	N/A
Implementation	N/A
Operation	N/A

Common Consequences

Impact: DoS: Crash, Exit, or Restart, Other — Notes: Floods often cause a crash or other problem besides denial of the resource itself; these are likely examples of *other* vulnerabilities, not an insufficient resource pool.

Potential Mitigations

Architecture and Design: Do not perform resource-intensive transactions for unauthenticated users and/or invalid requests. (N/A)
Architecture and Design: Consider implementing a velocity check mechanism which would detect abusive behavior. (N/A)
Operation: Consider load balancing as an option to handle heavy loads. (N/A)
Implementation: Make sure that resource handles are properly closed when no longer needed. (N/A)
Architecture and Design: Identify the system's resource intensive operations and consider protecting them from abuse (e.g. malicious automated script which runs the resources out). (N/A)

Applicable Platforms

None (Not Language-Specific, Undetermined)

Demonstrative Examples

Intro: In the following snippet from a Tomcat configuration file, a JDBC connection pool is defined with a maximum of 5 simultaneous connections (with a 60 second timeout). In this case, it may be trivial for an attacker to instigate a denial of service (DoS) by using up all of the available connections in the pool.

<Resource name="jdbc/exampledb" auth="Container" type="javax.sql.DataSource" removeAbandoned="true" removeAbandonedTimeout="30" maxActive="5" maxIdle="5" maxWait="60000" username="testuser" password="testpass" driverClassName="com.mysql.jdbc.Driver" url="jdbc:mysql://localhost/exampledb"/>

Notes

No notes available.

← Back to CWE list