Bug 2351452 (CVE-2025-2240)

Summary: CVE-2025-2240 smallrye-fault-tolerance: SmallRye Fault Tolerance
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: anstephe, asoldano, avibelli, bbaranow, bgeorges, bmaxwell, brian.stansberry, caswilli, cdewolf, clement.escoffier, cmiranda, dandread, darran.lofthouse, dkreling, dosoudil, eric.wittmann, fjuma, fmariani, fmongiar, gmalinko, gsmet, istudens, ivassile, iweiss, janstey, jmartisk, jnethert, jpoth, kaycoth, lgao, lthon, manderse, mosmerov, msochure, msvehla, nipatil, nwallace, olubyans, pantinor, pcongius, pdelbell, pesilva, pgallagh, pjindal, pmackay, probinso, rkubis, rruss, rstancel, rstepani, rsvoboda, sausingh, sbiarozk, smaestri, sniemiec, tcunning, tom.jenkinson, tqvarnst, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Patrick Del Bello 2025-03-12 02:48:13 UTC 
A flaw was found in Smallrye. smallrye-fault-tolerance is vulnerable to an Out-of-Memory (OOM) which is triggered externally when calling the metrics URI. Every call creates a new object within meterMap and may lead to Denial of Service (DoS).
Comment 1 errata-xmlrpc 2025-04-02 16:48:44 UTC 
This issue has been addressed in the following products:

  Red Hat Build of Apache Camel 4.8 for Quarkus 3.15

Via RHSA-2025:3541 https://access.redhat.com/errata/RHSA-2025:3541
Comment 2 errata-xmlrpc 2025-04-02 20:19:35 UTC 
This issue has been addressed in the following products:

  Red Hat build of Apache Camel 4.8.5 for Spring Boot

Via RHSA-2025:3543 https://access.redhat.com/errata/RHSA-2025:3543