Marek Hulan <mhulan> reports: Katello API OAuth authentication is vulnerable to DoS. User can set consumer_key to any value which is later converted to symbol. This can lead to memory exhaustion.
Acknowledgements: This issue was discovered by Marek Hulán of the Red Hat Foreman team.
I think the exposure here is pretty small. The consumer key is passed as an http header. Per http://tomcat.apache.org/tomcat-6.0-doc/config/http.html the default max header size is 8k and the default concurrent threads is 200. That gets me to about 2 meg of memory consumption.
Per discussions with Tjay, closing this out.