Reliance on Uncontrolled Component

The product's design or architecture is built from multiple separate components, but one or more components are not under complete control of the developer, such as a third-party software library or a physical component that is built by an original equipment manufacturer (OEM).


Description

Many modern hardware and software products are built by combining multiple smaller components together into one larger entity. These components might be provided by external parties or otherwise unable to be modified, i.e., they are "uncontrolled." For example, a hardware component might be built by a separate manufacturer, or the product might use an open source library that is developed by people who have no formal contract with the product vendor. Alternately, a component's vendor might no longer be in business and therefore cannot provide updates or changes to the component.

This dependency on "uncontrolled" components means that if security risks are found in the uncontrolled component, the product vendor is not necessarily able to fix them. The product vendor cannot necessarily be certain that the uncontrolled component was built following the security expectations.

See Also

ICS Supply Chain: Common Mode Frailties

Weaknesses in this category are related to the "Common Mode Frailties" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March ...

ICS Dependencies (& Architecture): External Digital Systems

Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in Mar...

ICS Dependencies (& Architecture): External Physical Systems

Weaknesses in this category are related to the "External Physical Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in Ma...

Comprehensive CWE Dictionary

This view (slice) covers all the elements in CWE.

Quality Weaknesses with Indirect Security Impacts

CWE identifiers in this view (slice) are quality issues that only indirectly make it easier to introduce a vulnerability and/or make the vulnerability more difficult t...

Weaknesses without Software Fault Patterns

CWE identifiers in this view are weaknesses that do not have associated Software Fault Patterns (SFPs), as covered by the CWE-888 view. As such, they represent gaps in...


Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.