The api calls are successfully routed by RestEasy, while this cache grows unbounded. Due to keys having the same hash code, each subsequent request gets slower as more cpu time is spent searching and adding the entry. A simple load generator could exploit this to make the endpoint unresponsive. The media type itself is cached by MediaTypeHeaderDelegate, which protects itself by using a fixed size cache (default of 200) that is cleared when growing beyond the threshold. Since the RootNode cache is unbounded and not accessible, it is subject to this exploit. References: https://issues.redhat.com/browse/RESTEASY-2643
Acknowledgments: Name: Ben Manes (Vector)
Red Hat Enterprise Linux 7 and 8 do not ship versions of RESTEasy that are affected by this flaw, as the vulnerable code was introduced in newer versions.
This issue has been addressed in the following products: Red Hat build of Quarkus 1.3.4 SP1 Via RHSA-2020:3248 https://access.redhat.com/errata/RHSA-2020:3248
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-14326
We are changing Camel-K to having a low impact, although Red Hat Integration Camel-K ships some RESTEasy components in the affected version range, they are not used as part of the Camel-K runtime, instead camel-platform-http is used for exposing REST routes
This issue has been addressed in the following products: Red Hat Fuse 7.8.0 Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568
This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:4767 https://access.redhat.com/errata/RHSA-2021:4767
This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:4918 https://access.redhat.com/errata/RHSA-2021:4918