A Java OutofMemoryError occurs if the program attempts to use more heap space than what is available. Among other causes, this error may result from
- a memory leak . See (see MSC05-J. Do not leak memory for information on preventing memory leaks.)
- an infinite loop
- limited amounts of default heap memory available
- incorrect implementation of common data structures (hash tables, vectors and so on)
- unbound deserialization.
- writing a large number of objects to an
ObjectOutputStream. For more information, (see SER10-J. Avoid memory and resource leaks during serialization.) - creating a large number of threads
- uncompressing a file . See (see IDS04-J. Limit the size of files passed to ZipInputStream for example.)
Some of these causes are platform-dependent, and difficult to anticipate. Others are fairly easy to anticipate, such as reading data from a file. As a result, programs must not accept untrusted input in a manner that can cause the program to exhaust memory.
...
Any code that uses this method is susceptible to abuse a resource exhaustion attack because the user can enter a string of any length.
...
| Wiki Markup |
|---|
In a server-class machine using a parallel garbage collector, the default initial and maximum heap sizes are as follows for Java J2SESE 6.0 \[[Sun 2006|AA. Bibliography#Sun 06]\]: |
...
A simple compliant solution is to lower reduce the number of names to read.
...
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
MSC07-J | low | probable | medium | P4 | L3 |
Related Vulnerabilities
Related Guidelines
The Apache Geronimo bug described by GERONIMO-4224 results in an OutOfMemoryError exception thrown by the WebAccessLogViewer if the access log file size is too large, such as more than 200 MB.
Related Guidelines
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="c6cdd66b46ff155c-ba81ac27-4d5543c5-b74e9b11-75335e6bf4c52849259b396a"><ac:plain-text-body><![CDATA[ | [ISO/IEC TR 24772:2010 | http://www.aitcnet.org/isai/] | "Resource Exhaustion [XZP]" | ]]></ac:plain-text-body></ac:structured-macro> |
CWE-400, "Uncontrolled Resource Consumption ('Resource Exhaustion')" | ||||
| CWE-770, "Allocation of Resources Without Limits or Throttling" |
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="fcda47bbc68016a5-bb86f798-4c034c99-96e59380-423ca17a916ea9270ebd4c9c"><ac:plain-text-body><![CDATA[ | [[Sun 2006 | AA. Bibliography#Sun 06]] | [Garbage Collection Ergonomics | http://java.sun.com/javase/6/docs/technotes/guides/vm/gc-ergonomics.html ], "Default values for the Initial and Maximum heap size" | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="265aafc87f0defec-66cb471d-446e4ee7-847baf21-db426309165dac7bc736cfd3"><ac:plain-text-body><![CDATA[ | [[Java 2006 | AA. Bibliography#Java 06]] | [java - the Java application launcher | http://java.sun.com/javase/6/docs/technotes/tools/windows/java.html ], "Syntax for increasing the heap size" | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9ba2bef3686b92ae-b714de48-48fb45e7-955f979d-73943a14d7f86395da0207b9"><ac:plain-text-body><![CDATA[ | [[Sun 2003 | AA. Bibliography#Sun 03]] | Chapter 5: Tuning the Java Runtime System, [Tuning the Java Heap | http://docs.sun.com/source/817-2180-10/pt_chap5.html#wp57027] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="2d34dc5ec8c5839e-b1aa8745-428e4bbd-9af4b7a2-70043265d17c978979b03c40"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] | Class ObjectInputStream and ObjectOutputStream | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d32ce4f024bf41a2-9c34b0c9-4ff044de-af31bbd8-d83408d1998526eda979014e"><ac:plain-text-body><![CDATA[ | [[SDN 2008 | AA. Bibliography#SDN 08]] | [Serialization FAQ | http://java.sun.com/javase/technologies/core/basic/serializationFAQ.jsp] | ]]></ac:plain-text-body></ac:structured-macro> |
...