Red Hat Data Grid Infinispan Component REST API Buffer Leak Vulnerability Leading to Denial-of-Service

A buffer leak vulnerability has been identified in the Infinispan component of Red Hat Data Grid. This issue arises in the REST compare API, where continuous requests containing large POST data can cause a buffer leak and result in an OutOfMemoryError. Although the REST endpoint requires authentication by default, allowing only authenticated users to exploit this vulnerability, it can still be used to mount a denial-of-service attack.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition by exhausting available memory resources, leading to application crashes or unresponsiveness.

Reproduction

The vulnerability can be reproduced by sending continuous POST requests with large payloads to the REST compare API endpoint. This can be done using tools that automate HTTP requests, such as curl or Postman, or by writing a script that sends repeated requests with the desired data size. Monitor the application for 'OutOfMemoryError' messages, which indicate that the buffer leak is causing memory exhaustion.