CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.10)  
ID

CWE-664: Improper Control of a Resource Through its Lifetime

Weakness ID: 664
Abstraction: Class
Status: Draft
Presentation Filter:
+ Description

Description Summary

The software does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.

Extended Description

Resources often have explicit instructions on how to be created, used and destroyed. When software does not follow these instructions, it can lead to unexpected behaviors and potentially exploitable states.

Even without explicit instructions, various principles are expected to be adhered to, such as "Do not use an object until after its creation is complete," or "do not use an object after it has been slated for destruction."

+ Time of Introduction
  • Implementation
+ Common Consequences
ScopeEffect
Other

Technical Impact: Other

+ Potential Mitigations

Phase: Testing

Use Static analysis tools to check for unreleased resources.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory361Time and State
Development Concepts (primary)699
Weaknesses for Simplified Mapping of Published Vulnerabilities (primary)1003
ChildOfCategoryCategory984SFP Secondary Cluster: Life Cycle
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness ClassWeakness Class221Information Loss or Omission
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class284Improper Access Control
Research Concepts1000
ParentOfWeakness BaseWeakness Base400Uncontrolled Resource Consumption ('Resource Exhaustion')
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base404Improper Resource Shutdown or Release
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class405Asymmetric Resource Consumption (Amplification)
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base410Insufficient Resource Pool
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base471Modification of Assumed-Immutable Data (MAID)
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class485Insufficient Encapsulation
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class610Externally Controlled Reference to a Resource in Another Sphere
Research Concepts (primary)1000
Weaknesses for Simplified Mapping of Published Vulnerabilities (primary)1003
ParentOfWeakness BaseWeakness Base662Improper Synchronization
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class665Improper Initialization
Research Concepts (primary)1000
Weaknesses for Simplified Mapping of Published Vulnerabilities (primary)1003
ParentOfWeakness BaseWeakness Base666Operation on Resource in Wrong Phase of Lifetime
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class668Exposure of Resource to Wrong Sphere
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class669Incorrect Resource Transfer Between Spheres
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class673External Influence of Sphere Definition
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class704Incorrect Type Conversion or Cast
Development Concepts (primary)699
Research Concepts (primary)1000
Weaknesses for Simplified Mapping of Published Vulnerabilities (primary)1003
ParentOfWeakness ClassWeakness Class706Use of Incorrectly-Resolved Name or Reference
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base908Use of Uninitialized Resource
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base911Improper Update of Reference Count
Research Concepts (primary)1000
ParentOfWeakness ClassWeakness Class913Improper Control of Dynamically-Managed Code Resources
Research Concepts (primary)1000
Weaknesses for Simplified Mapping of Published Vulnerabilities (primary)1003
ParentOfWeakness ClassWeakness Class922Insecure Storage of Sensitive Information
Development Concepts (primary)699
Research Concepts (primary)1000
MemberOfViewView1000Research Concepts
Research Concepts (primary)1000
+ Maintenance Notes

More work is needed on this node and its children. There are perspective/layering issues; for example, one breakdown is based on lifecycle phase (CWE-404, CWE-665), while other children are independent of lifecycle, such as CWE-400. Others do not specify as many bases or variants, such as CWE-704, which primarily covers numbers at this stage.

+ Content History
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Potential_Mitigations, Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Description, Maintenance_Notes, Relationships, Type
2009-03-10CWE Content TeamMITREInternal
updated Related_Attack_Patterns
2009-05-27CWE Content TeamMITREInternal
updated Description, Name, Relationships
2009-07-27CWE Content TeamMITREInternal
updated Relationships
2010-02-16CWE Content TeamMITREInternal
updated Relationships
2010-12-13CWE Content TeamMITREInternal
updated Description, Relationships
2011-03-29CWE Content TeamMITREInternal
updated Relationships
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences, Relationships
2012-05-11CWE Content TeamMITREInternal
updated Related_Attack_Patterns, Relationships
2012-10-30CWE Content TeamMITREInternal
updated Potential_Mitigations
2013-02-21CWE Content TeamMITREInternal
updated Relationships
2013-07-17CWE Content TeamMITREInternal
updated Relationships
2014-07-30CWE Content TeamMITREInternal
updated Relationships
2015-12-07CWE Content TeamMITREInternal
updated Relationships
2017-01-19CWE Content TeamMITREInternal
updated Relationships
Previous Entry Names
Change DatePrevious Entry Name
2009-05-27Insufficient Control of a Resource Through its Lifetime

More information is available — Please select a different filter.
Page Last Updated: January 18, 2017