Reino: Code Quality
Una mala calidad del código lleva a un comportamiento no predecible. Desde la perspectiva de un usuario, muchas veces también supone una usabilidad limitada. Pero para un atacante es una oportunidad para atacar al sistema de formas insospechadas.
Unreleased Resource: Synchronization
Abstract
El programa no puede liberar el bloqueo que albergue, que podría ocasionar un interbloqueo.
Explanation
Es posible que el programa no pueda liberar un recurso del sistema.
Las pérdidas de recursos presentan dos causas habituales:
- Condiciones de error y otras circunstancias excepcionales.
- Confusión en cuanto a la parte del programa responsable de liberar el recurso.
La mayoría de los problemas de recursos no liberados provocan problemas generales de confiabilidad del software. Sin embargo, si un usuario malintencionado puede activar de forma intencionada una pérdida de recursos, es posible que este pueda iniciar un ataque de denegación de servicio agotando el conjunto de recursos.
Ejemplo 1: el siguiente código establece un bloqueo antes de
Las pérdidas de recursos presentan dos causas habituales:
- Condiciones de error y otras circunstancias excepcionales.
- Confusión en cuanto a la parte del programa responsable de liberar el recurso.
La mayoría de los problemas de recursos no liberados provocan problemas generales de confiabilidad del software. Sin embargo, si un usuario malintencionado puede activar de forma intencionada una pérdida de recursos, es posible que este pueda iniciar un ataque de denegación de servicio agotando el conjunto de recursos.
Ejemplo 1: el siguiente código establece un bloqueo antes de
performOperationInCriticalSection(), pero no puede liberar el bloqueo si se genera una excepción en ese método.
Object synchronizationObject = new Object ();
System.Threading.Monitor.Enter(synchronizationObject);
performOperationInCriticalSection();
System.Threading.Monitor.Exit(synchronizationObject);
References
[1] Microsoft MSDN - Programming Guide - Thread Synchronization
[2] Standards Mapping - Common Weakness Enumeration CWE ID 411, CWE ID 772
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [21] CWE ID 772
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[10] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation
[21] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
[43] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[44] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.dotnet.unreleased_resource_synchronization
Abstract
El programa no puede liberar el bloqueo que albergue, que podría ocasionar un interbloqueo.
Explanation
Es posible que el programa no pueda liberar un recurso del sistema.
Las pérdidas de recursos presentan dos causas habituales:
- Condiciones de error y otras circunstancias excepcionales.
- Confusión en cuanto a la parte del programa responsable de liberar el recurso.
La mayoría de los problemas de recursos no liberados provocan problemas generales de confiabilidad del software. Sin embargo, si un usuario malintencionado puede activar de forma intencionada una pérdida de recursos, es posible que este pueda iniciar un ataque de denegación de servicio agotando el conjunto de recursos.
Ejemplo 1: La función siguiente no destruye la variable de condición que asigna si se produce un error. Si el proceso se alarga en el tiempo, puede quedarse sin identificadores de archivo.
Las pérdidas de recursos presentan dos causas habituales:
- Condiciones de error y otras circunstancias excepcionales.
- Confusión en cuanto a la parte del programa responsable de liberar el recurso.
La mayoría de los problemas de recursos no liberados provocan problemas generales de confiabilidad del software. Sin embargo, si un usuario malintencionado puede activar de forma intencionada una pérdida de recursos, es posible que este pueda iniciar un ataque de denegación de servicio agotando el conjunto de recursos.
Ejemplo 1: La función siguiente no destruye la variable de condición que asigna si se produce un error. Si el proceso se alarga en el tiempo, puede quedarse sin identificadores de archivo.
int helper(char* fName)
{
int status;
...
pthread_cond_init (&count_threshold_cv, NULL);
pthread_mutex_init(&count_mutex, NULL);
status = perform_operation();
if (status) {
printf("%s", "cannot perform operation");
return OPERATION_FAIL;
}
pthread_mutex_destroy(&count_mutex);
pthread_cond_destroy(&count_threshold_cv);
return OPERATION_SUCCESS;
}
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 411, CWE ID 772
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [21] CWE ID 772
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[9] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation
[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
[42] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[43] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.cpp.unreleased_resource_synchronization
Abstract
Un programa mantiene un bloqueo y no puede liberarlo, lo podría conllevar un interbloqueo.
Explanation
Es posible que el programa no pueda liberar un bloqueo.
Las pérdidas de recursos presentan dos causas habituales:
- Condiciones de error y otras circunstancias excepcionales.
- Confusión sobre qué parte del programa es responsable de liberar el recurso.
La mayoría de los problemas de recursos no liberados provocan problemas generales de confiabilidad del software. Sin embargo, si un atacante puede desencadenar de forma intencionada una pérdida de recursos, el atacante podría lanzar una denegación de servicio agotando el conjunto de recursos o provocando un interbloqueo.
Ejemplo 1: El siguiente programa no libera un bloqueo de registro en un archivo si se produce un error.
Las pérdidas de recursos presentan dos causas habituales:
- Condiciones de error y otras circunstancias excepcionales.
- Confusión sobre qué parte del programa es responsable de liberar el recurso.
La mayoría de los problemas de recursos no liberados provocan problemas generales de confiabilidad del software. Sin embargo, si un atacante puede desencadenar de forma intencionada una pérdida de recursos, el atacante podría lanzar una denegación de servicio agotando el conjunto de recursos o provocando un interbloqueo.
Ejemplo 1: El siguiente programa no libera un bloqueo de registro en un archivo si se produce un error.
CALL "CBL_GET_RECORD_LOCK"
USING file-handle
record-offset
record-length
reserved
END-CALL
IF return-code NOT = 0
DISPLAY "Error!"
GOBACK
ELSE
PERFORM write-data
IF ws-status-code NOT = 0
DISPLAY "Error!"
GOBACK
ELSE
DISPLAY "Success!"
END-IF
END-IF
CALL "CBL_FREE_RECORD_LOCK"
USING file-handle
record-offset
record-length
reserved
END-CALL
GOBACK
.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 411, CWE ID 772
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [21] CWE ID 772
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[9] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation
[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
[42] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[43] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.cobol.unreleased_resource_synchronization
Abstract
El programa no puede liberar el bloqueo que albergue, que podría ocasionar un interbloqueo.
Explanation
Es posible que el programa no pueda liberar un recurso del sistema.
Las pérdidas de recursos presentan dos causas habituales:
- Condiciones de error y otras circunstancias excepcionales.
- Confusión en cuanto a la parte del programa responsable de liberar el recurso.
La mayoría de los problemas de recursos no liberados provocan problemas generales de confiabilidad del software. Sin embargo, si un usuario malintencionado puede activar de forma intencionada una pérdida de recursos, es posible que este pueda iniciar un ataque de denegación de servicio agotando el conjunto de recursos.
Ejemplo 1: el siguiente código establece un bloqueo antes de
Las pérdidas de recursos presentan dos causas habituales:
- Condiciones de error y otras circunstancias excepcionales.
- Confusión en cuanto a la parte del programa responsable de liberar el recurso.
La mayoría de los problemas de recursos no liberados provocan problemas generales de confiabilidad del software. Sin embargo, si un usuario malintencionado puede activar de forma intencionada una pérdida de recursos, es posible que este pueda iniciar un ataque de denegación de servicio agotando el conjunto de recursos.
Ejemplo 1: el siguiente código establece un bloqueo antes de
performOperationInCriticalSection(), pero no puede liberar el bloqueo si se genera una excepción en ese método.
ReentrantLock myLock = new ReentrantLock ();
myLock.lock();
performOperationInCriticalSection();
myLock.unlock();
References
[1] Sun Microsystems, Inc. Java Sun Tutorial - JavaDoc - Class ReentrantLock
[2] CERT LCK07-J. Avoid deadlock by requesting and releasing locks in the same order
[3] CERT LCK08-J. Ensure actively held locks are released on exceptional conditions
[4] FIO04-J. Release resources when they are no longer needed CERT
[5] DOS-2: Release resources in all cases Oracle
[6] Standards Mapping - Common Weakness Enumeration CWE ID 411, CWE ID 772
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [21] CWE ID 772
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 1.3
[11] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[14] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation
[25] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[48] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.java.unreleased_resource_synchronization
Abstract
Un programa mantiene un bloqueo y no puede liberarlo, lo podría conllevar un interbloqueo.
Explanation
Las pérdidas de recursos presentan dos causas habituales:
- Condiciones de error y otras circunstancias excepcionales.
- Confusión en cuanto a la parte del programa responsable de liberar el recurso.
La mayoría de los problemas de recursos no liberados provocan problemas generales de confiabilidad del software. Sin embargo, si un usuario malintencionado puede desencadenar de forma intencionada una pérdida de recursos, este puede lanzar una denegación de servicio, agotando el conjunto de recursos.
Ejemplo 1: El siguiente código establece un bloqueo antes de
- Condiciones de error y otras circunstancias excepcionales.
- Confusión en cuanto a la parte del programa responsable de liberar el recurso.
La mayoría de los problemas de recursos no liberados provocan problemas generales de confiabilidad del software. Sin embargo, si un usuario malintencionado puede desencadenar de forma intencionada una pérdida de recursos, este puede lanzar una denegación de servicio, agotando el conjunto de recursos.
Ejemplo 1: El siguiente código establece un bloqueo antes de
performOperationInCriticalSection(), pero nunca lo libera.
os_unfair_lock lock1 = OS_UNFAIR_LOCK_INIT;
os_unfair_lock_lock(&lock1);
performOperationInCriticalSection();
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 411, CWE ID 772
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [21] CWE ID 772
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[9] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation
[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
[42] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[43] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.objc.unreleased_resource_synchronization
Abstract
Un programa mantiene un bloqueo y no puede liberarlo, lo podría conllevar un interbloqueo.
Explanation
Las pérdidas de recursos presentan dos causas habituales:
- Condiciones de error y otras circunstancias excepcionales.
- Confusión en cuanto a la parte del programa responsable de liberar el recurso.
La mayoría de los problemas de recursos no liberados provocan problemas generales de confiabilidad del software. Sin embargo, si un usuario malintencionado puede desencadenar de forma intencionada una pérdida de recursos, este puede lanzar una denegación de servicio, agotando el conjunto de recursos.
Ejemplo 1: El siguiente código establece un bloqueo antes de
- Condiciones de error y otras circunstancias excepcionales.
- Confusión en cuanto a la parte del programa responsable de liberar el recurso.
La mayoría de los problemas de recursos no liberados provocan problemas generales de confiabilidad del software. Sin embargo, si un usuario malintencionado puede desencadenar de forma intencionada una pérdida de recursos, este puede lanzar una denegación de servicio, agotando el conjunto de recursos.
Ejemplo 1: El siguiente código establece un bloqueo antes de
performOperationInCriticalSection(), pero nunca lo libera.
let lock1 = OSAllocatedUnfairLock()
lock1.lock()
performOperationInCriticalSection();
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 411, CWE ID 772
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [21] CWE ID 772
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[9] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation
[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
[42] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[43] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.swift.unreleased_resource_synchronization