1. Home
  2. CWE Database
  3. CWE-410
Class · High

CWE-410: Insufficient Resource Pool

The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resou...

CWE-410 · Class Level ·3 CVEs ·5 Mitigations

Description

The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.

Frequently the consequence is a "flood" of connection or sessions.

Potential Impact

Availability, Integrity, Other

DoS: Crash, Exit, or Restart, Other

Demonstrative Examples

In the following snippet from a Tomcat configuration file, a JDBC connection pool is defined with a maximum of 5 simultaneous connections (with a 60 second timeout). In this case, it may be trivial for an attacker to instigate a denial of service (DoS) by using up all of the available connections in the pool.
Bad
<Resource name="jdbc/exampledb"auth="Container"type="javax.sql.DataSource"removeAbandoned="true"removeAbandonedTimeout="30"maxActive="5"maxIdle="5"maxWait="60000"username="testuser"password="testpass"driverClassName="com.mysql.jdbc.Driver"url="jdbc:mysql://localhost/exampledb"/>

Mitigations & Prevention

Architecture and Design

Do not perform resource-intensive transactions for unauthenticated users and/or invalid requests.

Architecture and Design

Consider implementing a velocity check mechanism which would detect abusive behavior.

Operation

Consider load balancing as an option to handle heavy loads.

Implementation

Make sure that resource handles are properly closed when no longer needed.

Architecture and Design

Identify the system's resource intensive operations and consider protecting them from abuse (e.g. malicious automated script which runs the resources out).

Real-World CVE Examples

CVE IDDescription
CVE-1999-1363Large number of locks on file exhausts the pool and causes crash.
CVE-2001-1340Product supports only one connection and does not disconnect a user who does not provide credentials.
CVE-2002-0406Large number of connections without providing credentials allows connection exhaustion.

CWE-664: Improper Control of a Resource Through its Lifetime

The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use,...

CWE-400: Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource.

Taxonomy Mappings

  • PLOVER: — Insufficient Resource Pool
  • OWASP Top Ten 2004: A9 — Denial of Service
  • The CERT Oracle Secure Coding Standard for Java (2011): TPS00-J — Use thread pools to enable graceful degradation of service during traffic bursts

Frequently Asked Questions

What is CWE-410?

CWE-410 (Insufficient Resource Pool) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Class-level weakness. The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resou...

How can CWE-410 be exploited?

Attackers can exploit CWE-410 (Insufficient Resource Pool) to dos: crash, exit, or restart, other. This weakness is typically introduced during the Architecture and Design, Implementation, Operation phase of software development.

How do I prevent CWE-410?

Key mitigations include: Do not perform resource-intensive transactions for unauthenticated users and/or invalid requests.

What is the severity of CWE-410?

CWE-410 is classified as a Class-level weakness (High abstraction). It has been observed in 3 real-world CVEs.