CWE-1072: Data Resource Access without Use of Connection Pooling
Learn about CWE-1072 (Data Resource Access without Use of Connection Pooling), its security impact, exploitation methods, and prevention guidelines.
What is Data Resource Access without Use of Connection Pooling?
• Overview: Data Resource Access without Use of Connection Pooling (CWE-1072) occurs when a software product accesses a database without utilizing connection pooling. This practice can lead to inefficient resource usage, as it requires opening and closing database connections each time, instead of reusing existing ones. This inefficiency can degrade performance and, if exploitable, potentially lead to vulnerabilities.
• Exploitation Methods:
- Attackers can exploit this vulnerability by causing the application to make excessive database connections, leading to resource exhaustion.
- Common attack patterns include sending repeated requests that require new connections, overwhelming the database server.
• Security Impact:
- Direct consequences include degraded application performance and increased response times.
- Potential cascading effects might involve denial of service due to resource exhaustion.
- Business impact includes reduced customer satisfaction and potential financial loss due to service unavailability.
• Prevention Guidelines:
- Implement connection pooling to manage database connections efficiently.
- Follow security best practices such as setting connection timeouts and maximum pool sizes to prevent resource exhaustion.
- Use recommended tools and frameworks that support connection pooling, like JDBC for Java or connection pool libraries such as HikariCP.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Not specified
Affected Technologies: Not specified