CWE-400: Uncontrolled Resource Consumption
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product does not properly control the allocation and maintenance of a limited resource.
常见后果
影响范围: Availability
技术影响: DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory) DoS: Resource Consumption (Other)
说明: If an attacker can trigger the allocation of the limited resources, but the number or size of the resources is not controlled, then the most common result is denial of service. This would prevent valid users from accessing the product, and it could potentially have an impact on the surrounding environment, i.e., the product may slow down, crash due to unhandled errors, or lock out legitimate users. For example, a memory exhaustion attack against an application could slow down the application as well as its host operating system.
影响范围: Access Control Other
技术影响: Bypass Protection Mechanism Other
说明: In some cases it may be possible to force the product to "fail open" in the event of resource exhaustion. The state of the product -- and possibly the security functionality - may then be compromised.
潜在缓解措施
阶段: Architecture and Design
描述: Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
阶段: Architecture and Design
阶段: Architecture and Design
描述: Ensure that protocols have specific limits of scale placed on them.
阶段: Implementation
描述: Ensure that all failures in resource allocation place the system into a safe posture.
检测方法
方法: Automated Static Analysis
有效性: Limited
方法: Automated Dynamic Analysis
Certain automated dynamic analysis techniques may be effective in spotting resource exhaustion problems, especially with resources such as processes, memory, and connections. The technique may involve generating a large number of requests to the product within a short time frame.
有效性: Moderate
方法: Fuzzing
While fuzzing is typically geared toward finding low-level implementation bugs, it can inadvertently find resource exhaustion problems. This can occur when the fuzzer generates a large number of test cases but does not restart the targeted product in between test cases. If an individual test case produces a crash, but it does not do so reliably, then an inability to handle resource exhaustion may be the cause.
有效性: Opportunistic
观察示例
参考: CVE-2019-19911
Chain: Python library does not limit the resources used to process images that specify a very large number of bands (CWE-1284), leading to excessive memory consumption (CWE-789) or an integer overflow (CWE-190).
参考: CVE-2020-7218
Go-based workload orchestrator does not limit resource usage with unauthenticated connections, allowing a DoS by flooding the service
参考: CVE-2020-3566
Resource exhaustion in distributed OS because of "insufficient" IGMP queue management, as exploited in the wild per CISA KEV.
参考: CVE-2009-2874
Product allows attackers to cause a crash via a large number of connections.
参考: CVE-2009-1928
Malformed request triggers uncontrolled recursion, leading to stack exhaustion.
参考: CVE-2009-2858
Chain: memory leak (CWE-404) leads to resource exhaustion.
参考: CVE-2009-2726
Driver does not use a maximum width when invoking sscanf style functions, causing stack consumption.
参考: CVE-2009-2540
Large integer value for a length property in an object causes a large amount of memory allocation.
参考: CVE-2009-2299
Web application firewall consumes excessive memory when an HTTP request contains a large Content-Length value but no POST data.
参考: CVE-2009-2054
Product allows exhaustion of file descriptors when processing a large number of TCP packets.
参考: CVE-2008-5180
Communication product allows memory consumption with a large number of SIP requests, which cause many sessions to be created.
参考: CVE-2008-2121
TCP implementation allows attackers to consume CPU and prevent new connections using a TCP SYN flood attack.
参考: CVE-2008-2122
Port scan triggers CPU consumption with processes that attempt to read data from closed sockets.
参考: CVE-2008-1700
Product allows attackers to cause a denial of service via a large number of directives, each of which opens a separate window.
参考: CVE-2007-4103
Product allows resource exhaustion via a large number of calls that do not complete a 3-way handshake.
参考: CVE-2006-1173
Mail server does not properly handle deeply nested multipart MIME messages, leading to stack exhaustion.
参考: CVE-2007-0897
Chain: anti-virus product encounters a malformed file but returns from a function without closing a file descriptor (CWE-775) leading to file descriptor consumption (CWE-400) and failed scans.
引入模式
| 阶段 | 说明 |
|---|---|
| Operation | The product could be operated in a system or environment with lower resource limits than expected, which might make it easier for attackers to consume all available resources. |
| System Configuration | The product could be configured with lower resource limits than expected, which might make it easier for attackers to consume all available resources. |
| Architecture and Design | The designer might not consider how to handle and throttle excessive resource requests, which typically requires careful planning to handle more gracefully than a crash or exit. |
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| CLASP | - | Resource exhaustion (file descriptor, disk space, sockets, ...) | - |
| OWASP Top Ten 2004 | A9 | Denial of Service | CWE More Specific |
| WASC | 10 | Denial of Service | - |
| WASC | 41 | XML Attribute Blowup | - |
| The CERT Oracle Secure Coding Standard for Java (2011) | SER12-J | Avoid memory and resource leaks during serialization | - |
| The CERT Oracle Secure Coding Standard for Java (2011) | MSC05-J | Do not exhaust heap space | - |
| Software Fault Patterns | SFP13 | Unrestricted Consumption | - |
| ISA/IEC 62443 | Part 3-3 | Req SR 7.1 | - |
| ISA/IEC 62443 | Part 3-3 | Req SR 7.2 | - |
| ISA/IEC 62443 | Part 4-1 | Req SI-1 | - |
| ISA/IEC 62443 | Part 4-1 | Req SVV-3 | - |
| ISA/IEC 62443 | Part 4-2 | Req CR 7.1 | - |
| ISA/IEC 62443 | Part 4-2 | Req CR 7.2 | - |
关键信息
CWE ID: CWE-400
抽象级别: Class
结构: Simple
状态: Draft
利用可能性: High