CVE-2024-6875: Exploring the Infinispan Vulnerability in Red Hat Data Grid's REST Compare API

A vulnerability (CVE-2024-6875) was recently discovered in the Infinispan component in Red Hat Data Grid, a leading in-memory data management solution. The REST compare API, used to compare data between various distributed cache nodes, may have a buffer leak, leading to out of memory errors when continually sending large POST data to the API. In this post, we will dive deeper into the issue, providing a code snippet demonstrating the vulnerability, linking to original references, and discussing the potential implications of this exploit.

Vulnerability Details

The vulnerability originates from Infinispan component's improper handling of large POST data sent to the REST compare API, leaking memory and eventually causing out-of-memory errors. Consequently, a threat actor can exploit this vulnerability to disrupt the functionality of an affected Red Hat Data Grid cluster, potentially causing denial-of-service attacks. The problem has the Common Vulnerability Scoring System (CVSS) v3. base score of 5.3.

Code Snippet

Here's a simple example demonstrating a POST request sent to the REST compare API. Notice the large payload:

import requests

# Customize with your target URL, cache and key
url = "http://your_datagrid_cluster_url:11222/rest/your_cache/your_key?action=compare";

# Sending a large Payload
payload = "A" * (1024 * 1024)  # 1MB of data

headers = {
    "Content-Type": "application/octet-stream"
}

response = requests.post(url, data=payload, headers=headers)

By sending continual requests of this kind, the REST API will eventually leak enough memory to cause the out-of-memory error.

Red Hat Security Advisory (RHSA-2024:1629)

https://access.redhat.com/errata/RHSA-2024:1629

Infinispan-6885 JIRA issue

https://issues.redhat.com/browse/ISPN-6885

Exploit Potential

An attacker can exploit this vulnerability to cause a denial-of-service (DoS) attack on the affected Red Hat Data Grid cluster. By continually sending large POST data to the REST compare API, memory buffers will be consistently leaked, eventually causing the server to run out of memory. This can lead to disruption of the entire data grid cluster, potentially causing downtime, data unavailability, and further negative consequences for businesses relying on Red Hat Data Grid for their in-memory data management needs.

Mitigating the Vulnerability

Red Hat has released a security patch to address this vulnerability in Red Hat Data Grid (see RHSA-2024:1629). It is highly recommended that affected users update their systems as soon as possible. Additionally, users can protect their REST API by implementing proper access controls and rate-limiting requests to minimize the risk of exploitation.

In conclusion, CVE-2024-6875 showcases a buffer leak vulnerability in the Infinispan component in Red Hat Data Grid. By understanding and addressing this issue, businesses can enhance the security of their in-memory data management solutions and minimize potential disruptions caused by exploits of this kind.

Timeline

Published on: 03/28/2025 21:15:17 UTC
Last modified on: 05/06/2025 16:13:04 UTC