2353998 – (CVE-2025-2586) CVE-2025-2586 ols: Unauthenticated Metrics Flooding in OpenShift Lightspeed Service Leading to Resource Exhaustion

Bug 2353998 (CVE-2025-2586) - CVE-2025-2586 ols: Unauthenticated Metrics Flooding in OpenShift Lightspeed Service Leading to Resource Exhaustion

Summary: CVE-2025-2586 ols: Unauthenticated Metrics Flooding in OpenShift Lightspeed S...

Keywords:
Status:	NEW
Alias:	CVE-2025-2586
Deadline:	2025-03-31
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-03-21 06:02 UTC by OSIDB Bzimport
Modified:	2025-06-01 08:27 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-03-21 06:02:30 UTC

The OpenShift Lightspeed Service does not enforce authentication when logging metrics for API requests, including those made to non-existent endpoints. This allows unauthenticated users to send a large volume of requests to arbitrary, non-existent endpoints, causing excessive metric entries. As a result, this behavior can lead to high CPU and memory usage, degraded application performance, and potential denial of service  conditions for monitoring and logging components.

Note You need to log in before you can comment on or make changes to this bug.