Vulnerabilities
Misconfiguration
Compliance
CVE Vulnerabilities

CVE-2011-0419

Allocation of Resources Without Limits or Throttling

Published: May 16, 2011 | Modified: Apr 11, 2025
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
4.3 MEDIUM
AV:N/AC:M/Au:N/C:N/I:N/A:P
RedHat/V2
4.3 MODERATE
AV:N/AC:M/Au:N/C:N/I:N/A:P
RedHat/V3
Ubuntu
MEDIUM
Vulnerability-free packages from our partners
root.io logo minimus.io logo echo.ai logo
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2011-0419
CWEhttps://cwe.mitre.org/data/definitions/770.html

Stack consumption vulnerability in the fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library before 1.4.3 and the Apache HTTP Server before 2.2.18, and in fnmatch.c in libc in NetBSD 5.1, OpenBSD 4.8, FreeBSD, Apple Mac OS X 10.6, Oracle Solaris 10, and Android, allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via *? sequences in the first argument, as demonstrated by attacks against mod_autoindex in httpd.

Weakness

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Affected Software

NameVendorStart VersionEnd Version
Portable_runtimeApache*1.4.3 (excluding)
JBEWS 1.0 for RHEL 4RedHatant-0:1.7.1-13.jdk6.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatantlr-0:2.7.7-7.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatbcel-0:5.2-8.1.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatcglib-0:2.2-5.1.1.jdk6.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatdom4j-0:1.6.1-11.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatecj-1:3.3.1.1-3.2.2.jdk6.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatglassfish-jaf-0:1.1.0-6.1.1.jdk6.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatglassfish-javamail-0:1.4.2-0.4.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatglassfish-jsf-0:1.2_13-2.2.1.jdk6.ep5.el4*
JBEWS 1.0 for RHEL 4RedHathibernate3-1:3.3.2-1.5.GA_CP04.ep5.el4*
JBEWS 1.0 for RHEL 4RedHathibernate3-annotations-0:3.4.0-3.3.GA_CP04.ep5.el4*
JBEWS 1.0 for RHEL 4RedHathibernate3-commons-annotations-0:3.1.0-1.8.ep5.el4*
JBEWS 1.0 for RHEL 4RedHathibernate3-ejb-persistence-3.0-api-1:1.0.2-3.jdk6.ep5.el4*
JBEWS 1.0 for RHEL 4RedHathibernate3-entitymanager-0:3.4.0-4.3.GA_CP04.ep5.el4*
JBEWS 1.0 for RHEL 4RedHathttpd22-0:2.2.17-14.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatjakarta-commons-beanutils-0:1.8.0-4.1.1.jdk6.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatjakarta-commons-chain-0:1.2-2.2.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatjakarta-commons-codec-0:1.3-9.1.1.jdk6.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatjakarta-commons-collections-0:3.2.1-4.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatjakarta-commons-daemon-1:1.0.5-1.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatjakarta-commons-daemon-jsvc-1:1.0.5-1.4.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatjakarta-commons-dbcp-0:1.2.1-16.4.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatjakarta-commons-digester-0:1.8.1-8.1.jdk6.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatjakarta-commons-el-0:1.0-19.2.jdk6.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatjakarta-commons-fileupload-1:1.1.1-7.4.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatjakarta-commons-httpclient-1:3.1-1.1.1.jdk6.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatjakarta-commons-io-0:1.4-1.3.1.jdk6.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatjakarta-commons-launcher-0:1.1-4.6.1.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatjakarta-commons-logging-0:1.1.1-0.4.1.jdk6.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatjakarta-commons-logging-jboss-0:1.1-10.2.1.jdk6.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatjakarta-commons-modeler-0:2.0-4.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatjakarta-commons-pool-0:1.3-11.2.1.jdk6.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatjakarta-commons-validator-0:1.3.1-7.5.1.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatjakarta-oro-0:2.0.8-3.3.2.1.jdk6.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatjakarta-taglibs-standard-0:1.1.1-9.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatjavassist-0:3.12.0-1.jdk6.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatjboss-common-core-0:2.2.17-1.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatjboss-common-logging-jdk-0:2.1.2-1.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatjboss-common-logging-spi-0:2.1.2-1.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatjboss-javaee-0:5.0.1-2.9.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatjcommon-0:1.0.16-1.2.1.jdk6.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatjfreechart-0:1.0.13-2.3.2.1.jdk6.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatlog4j-0:1.2.14-18.1.jdk6.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatmod_cluster-0:1.0.10-2.GA_CP01.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatmod_cluster-native-0:1.0.10-2.GA_CP01.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatmod_jk-0:1.2.31-1.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatmx4j-1:3.0.1-9.3.4.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatobjectweb-asm-0:3.1-5.3.1.jdk6.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatregexp-0:1.5-1.2.1.jdk6.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatstruts12-0:1.2.9-3.ep5.el4*
JBEWS 1.0 for RHEL 4RedHattomcat5-0:5.5.33-14_patch_04.ep5.el4*
JBEWS 1.0 for RHEL 4RedHattomcat6-0:6.0.32-15_patch_03.ep5.el4*
JBEWS 1.0 for RHEL 4RedHattomcat-jkstatus-ant-0:1.2.31-2.ep5.el4*
JBEWS 1.0 for RHEL 4RedHattomcat-native-0:1.1.20-2.0.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatxalan-j2-0:2.7.1-5.3_patch_04.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatxerces-j2-0:2.9.1-3.patch01.1.ep5.el4*
JBEWS 1.0 for RHEL 4RedHatxml-commons-1:1.3.04-7.12.ep5.el4*
Red Hat Enterprise Linux 4RedHatapr-0:0.9.4-25.el4*
Red Hat Enterprise Linux 5RedHatapr-0:1.2.7-11.el5_6.4*
Red Hat Enterprise Linux 6RedHatapr-0:1.3.9-3.el6_0.1*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHatant-0:1.7.1-13.jdk6.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHatantlr-0:2.7.7-7.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHatcglib-0:2.2-5.1.1.1.jdk6.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHatdom4j-0:1.6.1-11.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHatecj3-1:3.3.1.1-3.1.1.1.jdk6.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHatglassfish-jsf-0:1.2_13-3.1.1.jdk6.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHathibernate3-1:3.3.2-1.4.GA_CP04.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHathibernate3-annotations-0:3.4.0-3.2.GA_CP04.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHathibernate3-commons-annotations-0:3.1.0-1.8.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHathibernate3-ejb-persistence-3.0-api-1:1.0.2-3.1.jdk6.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHathibernate3-entitymanager-0:3.4.0-4.3.GA_CP04.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHathttpd-0:2.2.17-11.1.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHatjakarta-commons-beanutils-0:1.8.0-4.1.2.1.jdk6.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHatjakarta-commons-chain-0:1.2-2.2.1.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHatjakarta-commons-codec-0:1.3-9.2.1.1.jdk6.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHatjakarta-commons-collections-0:3.2.1-4.1.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHatjakarta-commons-daemon-1:1.0.5-1.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHatjakarta-commons-daemon-jsvc-1:1.0.5-1.4.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHatjakarta-commons-dbcp-0:1.2.1-16.4.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHatjakarta-commons-digester-0:1.8.1-8.1.jdk6.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHatjakarta-commons-fileupload-1:1.1.1-7.4.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHatjakarta-commons-httpclient-1:3.1-1.2.1.jdk6.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHatjakarta-commons-io-0:1.4-1.3.1.jdk6.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHatjakarta-commons-logging-0:1.1.1-0.4.1.jdk6.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHatjakarta-commons-logging-jboss-0:1.1-10.2.1.jdk6.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHatjakarta-commons-pool-0:1.3-11.2.1.jdk6.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHatjakarta-commons-validator-0:1.3.1-7.5.2.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHatjakarta-oro-0:2.0.8-3.3.2.1.1.1.jdk6.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHatjakarta-taglibs-standard-0:1.1.1-9.1.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHatjavassist-0:3.12.0-1.jdk6.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHatjboss-common-core-0:2.2.17-1.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHatjboss-common-logging-jdk-0:2.1.2-1.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHatjboss-common-logging-spi-0:2.1.2-1.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHatjboss-javaee-0:5.0.1-2.9.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHatjcommon-0:1.0.16-1.2.1.jdk6.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHatjfreechart-0:1.0.13-2.3.2.1.jdk6.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHatmod_cluster-0:1.0.10-2.1.GA_CP01.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHatmod_cluster-native-0:1.0.10-2.1.GA_CP01.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHatmod_jk-0:1.2.31-1.1.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHatobjectweb-asm-0:3.1-5.3.1.jdk6.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHatstruts12-0:1.2.9-3.1.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHattomcat5-0:5.5.33-16_patch_04.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHattomcat6-0:6.0.32-15.1_patch_03.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHattomcat-jkstatus-ant-0:1.2.31-2.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHattomcat-native-0:1.1.20-2.1.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHatxalan-j2-0:2.7.1-5.3_patch_04.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHatxerces-j2-0:2.9.1-3.patch01.1.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5RedHatxml-commons-0:1.3.04-7.10.jdk6.ep5.el5*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHatant-0:1.7.1-14.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHatantlr-0:2.7.7-7.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHatcglib-0:2.2-5.4.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHatdom4j-0:1.6.1-11.1.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHatecj3-1:3.3.1.1-4.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHatglassfish-jsf-0:1.2_13-3.1.4.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHathibernate3-1:3.3.2-1.8.GA_CP04.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHathibernate3-annotations-0:3.4.0-3.5.GA_CP04.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHathibernate3-commons-annotations-0:3.1.0-1.8.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHathibernate3-ejb-persistence-3.0-api-1:1.0.2-3.3.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHathibernate3-entitymanager-0:3.4.0-4.4.GA_CP04.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHathttpd-0:2.2.17-11.2.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHatjakarta-commons-beanutils-0:1.8.0-9.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHatjakarta-commons-chain-0:1.2-2.2.2.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHatjakarta-commons-codec-0:1.3-12.1.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHatjakarta-commons-collections-0:3.2.1-4.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHatjakarta-commons-daemon-1:1.0.5-1.1.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHatjakarta-commons-daemon-jsvc-1:1.0.5-1.4.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHatjakarta-commons-dbcp-0:1.2.1-16.2.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHatjakarta-commons-digester-0:1.8.1-8.1.1.1.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHatjakarta-commons-fileupload-1:1.1.1-7.5.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHatjakarta-commons-httpclient-1:3.1-1.2.2.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHatjakarta-commons-io-0:1.4-4.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHatjakarta-commons-logging-0:1.1.1-1.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHatjakarta-commons-logging-jboss-0:1.1-10.2.2.1.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHatjakarta-commons-pool-0:1.3-15.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHatjakarta-commons-validator-0:1.3.1-7.5.2.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHatjakarta-oro-0:2.0.8-7.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHatjakarta-taglibs-standard-0:1.1.1-12.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHatjavassist-0:3.12.0-3.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHatjboss-common-core-0:2.2.17-1.2.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHatjboss-common-logging-jdk-0:2.1.2-1.2.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHatjboss-common-logging-spi-0:2.1.2-1.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHatjboss-javaee-0:5.0.1-2.9.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHatjcommon-0:1.0.16-1.2.2.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHatjfreechart-0:1.0.13-2.3.2.1.2.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHatmod_cluster-0:1.0.10-2.2.GA_CP01.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHatmod_cluster-native-0:1.0.10-2.1.1.GA_CP01.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHatmod_jk-0:1.2.31-1.1.2.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHatobjectweb-asm31-0:3.1-12.1.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHatstruts12-0:1.2.9-3.1.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHattomcat5-0:5.5.33-15_patch_04.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHattomcat6-0:6.0.32-14_patch_03.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHattomcat-jkstatus-ant-0:1.2.31-2.1.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHattomcat-native-0:1.1.20-2.1.2.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHatxalan-j2-0:2.7.1-5.3_patch_04.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHatxerces-j2-0:2.9.1-8.patch01.1.ep5.el6*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6RedHatxml-commons-0:1.3.04-7.14.ep5.el6*
Red Hat JBoss Web Server 1.0RedHat*
Apache2Ubuntudapper*
AprUbuntuhardy*
AprUbuntulucid*
AprUbuntumaverick*
AprUbuntunatty*
AprUbuntuupstream*

Potential Mitigations

  • Assume all input is malicious. Use an “accept known good” input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.

  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, “boat” may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as “red” or “blue.”

  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code’s environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

  • Mitigation of resource exhaustion attacks requires that the target system either:

  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.

  • The second solution can be difficult to effectively institute – and even when properly done, it does not provide a full solution. It simply requires more resources on the part of the attacker.

  • If the program must fail, ensure that it fails gracefully (fails closed). There may be a temptation to simply let the program fail poorly in cases such as low memory conditions, but an attacker may be able to assert control before the software has fully exited. Alternately, an uncontrolled failure could cause cascading problems with other downstream components; for example, the program could send a signal to a downstream process so the process immediately knows that a problem has occurred and has a better chance of recovery.

  • Ensure that all failures in resource allocation place the system into a safe posture.

  • Use quotas or other resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resources, and getrlimit() can determine how many resources are available. However, these functions are not available on all operating systems.

  • When the current levels get close to the maximum that is defined for the application (see CWE-770), then limit the allocation of further resources to privileged users; alternately, begin releasing resources for less-privileged users. While this mitigation may protect the system from attack, it will not necessarily stop attackers from adversely impacting other users.

  • Ensure that the application performs the appropriate error checks and error handling in case resources become unavailable (CWE-703).

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2026 Aqua Security Software Ltd.   Privacy Policy | Terms of Use