CWE - CWE-407: Algorithmic Complexity (2.4)

Home > CWE List > CWE- Individual Dictionary Definition (2.4)

CWE List
Full Dictionary View
Development View
Research View
Reports

About
Sources
Process
Documents
FAQs

Community
SwA On-Ramp
T-Shirt
Discussion List
Discussion Archives
Contact Us

Scoring
CWSS
CWRAF
CWE/SANS Top 25

Compatibility
Requirements
Coverage Claims Representation
Compatible Products
Make a Declaration

News
Calendar
Free Newsletter

Search the Site

CWE-407: Algorithmic Complexity

Algorithmic Complexity

Weakness ID: 407 (Weakness Base)

Status: Incomplete

Description

Description Summary

An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.

Time of Introduction

Architecture and Design
Implementation

Applicable Platforms

Languages

Language-independent

Common Consequences

Scope	Effect
Availability	Technical Impact: DoS: resource consumption (CPU); DoS: resource consumption (memory); DoS: resource consumption (other) The typical consequence is CPU consumption, but memory consumption and consumption of other resources can also occur.

Likelihood of Exploit

Low to Medium

Observed Examples

Reference	Description
CVE-2003-0244	CPU consumption via inputs that cause many hash table collisions.
CVE-2003-0364	CPU consumption via inputs that cause many hash table collisions.
CVE-2002-1203	Product performs unnecessary processing before dropping an invalid packet.
CVE-2001-1501	CPU and memory consumption using many wildcards.
CVE-2004-2527	Product allows attackers to cause multiple copies of a program to be loaded more quickly than the program can detect that other copies are running, then exit. This type of error should probably have its own category, where teardown takes more time than initialization.
CVE-2006-6931	Network monitoring system allows remote attackers to cause a denial of service (CPU consumption and detection outage) via crafted network traffic, aka a "backtracking attack."
CVE-2006-3380	Wiki allows remote attackers to cause a denial of service (CPU consumption) by performing a diff between large, crafted pages that trigger the worst case algorithmic complexity.
CVE-2006-3379	Wiki allows remote attackers to cause a denial of service (CPU consumption) by performing a diff between large, crafted pages that trigger the worst case algorithmic complexity.
CVE-2005-2506	OS allows attackers to cause a denial of service (CPU consumption) via crafted Gregorian dates.
CVE-2005-1792	Memory leak by performing actions faster than the software can clear them.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Weakness Class	405	Asymmetric Resource Consumption (Amplification)	Development Concepts (primary)699 Research Concepts (primary)1000
ChildOf	Category	907	SFP Cluster: Other	Software Fault Pattern (SFP) Clusters (primary)888
MemberOf	View	884	CWE Cross-section	CWE Cross-section (primary)884

Functional Areas

Cryptography

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
PLOVER			Algorithmic Complexity

References

Crosby and Wallach. "Algorithmic Complexity Attacks". <http://www.cs.rice.edu/~scrosby/hash/CrosbyWallach_UsenixSec2003/index.html>.

Content History

Submissions
Submission Date	Submitter	Organization	Source
	PLOVER		Externally Mined

Modifications
Modification Date	Modifier	Organization	Source
2008-07-01	Eric Dalci	Cigital	External
2008-07-01	updated Time_of_Introduction
2008-09-08	CWE Content Team	MITRE	Internal
2008-09-08	updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings
2009-07-27	CWE Content Team	MITRE	Internal
2009-07-27	updated Functional_Areas, Other_Notes
2009-10-29	CWE Content Team	MITRE	Internal
2009-10-29	updated Common_Consequences
2009-12-28	CWE Content Team	MITRE	Internal
2009-12-28	updated Applicable_Platforms, Likelihood_of_Exploit
2011-06-01	CWE Content Team	MITRE	Internal
2011-06-01	updated Common_Consequences
2012-05-11	CWE Content Team	MITRE	Internal
2012-05-11	updated Observed_Examples, Relationships

Page Last Updated: February 20, 2013


	CWE is co-sponsored by the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. This Web site is sponsored and managed by The MITRE Corporation to enable stakeholder collaboration. Copyright © 2006-2013, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us