RHSA-2025:3376

Vulnerability from csaf_redhat - Published: 2025-04-02 13:06 - Updated: 2025-11-24 09:23
Summary
Red Hat Security Advisory: Red Hat build of Quarkus 3.15.4 release and security update
Severity
Important
Notes
Topic: An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.
Details: This release of Red Hat build of Quarkus 3.15.4 includes the following CVE fix: * io.smallrye/smallrye-fault-tolerance-core: SmallRye Fault Tolerance [quarkus-3.15] (CVE-2025-2240) For more information, see the release notes page listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
CVE-2025-2240

A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue.

7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-1325 - Improperly Controlled Sequential Memory Allocation
Vendor Fix Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 https://access.redhat.com/errata/RHSA-2025:3376
Workaround Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.
References
https://access.redhat.com/errata/RHSA-2025:3376 self
https://access.redhat.com/security/updates/classi… external
https://access.redhat.com/jbossnetwork/restricted… external
https://access.redhat.com/products/quarkus/ external
https://access.redhat.com/articles/4966181 external
https://issues.redhat.com/browse/QUARKUS-5760 external
https://issues.redhat.com/browse/QUARKUS-5762 external
https://issues.redhat.com/browse/QUARKUS-5763 external
https://issues.redhat.com/browse/QUARKUS-5765 external
https://issues.redhat.com/browse/QUARKUS-5766 external
https://issues.redhat.com/browse/QUARKUS-5767 external
https://issues.redhat.com/browse/QUARKUS-5768 external
https://issues.redhat.com/browse/QUARKUS-5769 external
https://issues.redhat.com/browse/QUARKUS-5770 external
https://issues.redhat.com/browse/QUARKUS-5771 external
https://issues.redhat.com/browse/QUARKUS-5772 external
https://issues.redhat.com/browse/QUARKUS-5773 external
https://issues.redhat.com/browse/QUARKUS-5775 external
https://issues.redhat.com/browse/QUARKUS-5776 external
https://issues.redhat.com/browse/QUARKUS-5777 external
https://issues.redhat.com/browse/QUARKUS-5778 external
https://issues.redhat.com/browse/QUARKUS-5779 external
https://issues.redhat.com/browse/QUARKUS-5780 external
https://issues.redhat.com/browse/QUARKUS-5781 external
https://issues.redhat.com/browse/QUARKUS-5783 external
https://issues.redhat.com/browse/QUARKUS-5784 external
https://issues.redhat.com/browse/QUARKUS-5785 external
https://issues.redhat.com/browse/QUARKUS-5786 external
https://issues.redhat.com/browse/QUARKUS-5787 external
https://issues.redhat.com/browse/QUARKUS-5788 external
https://issues.redhat.com/browse/QUARKUS-5789 external
https://issues.redhat.com/browse/QUARKUS-5790 external
https://issues.redhat.com/browse/QUARKUS-5791 external
https://issues.redhat.com/browse/QUARKUS-5792 external
https://issues.redhat.com/browse/QUARKUS-5793 external
https://issues.redhat.com/browse/QUARKUS-5794 external
https://issues.redhat.com/browse/QUARKUS-5795 external
https://issues.redhat.com/browse/QUARKUS-5796 external
https://issues.redhat.com/browse/QUARKUS-5797 external
https://issues.redhat.com/browse/QUARKUS-5798 external
https://issues.redhat.com/browse/QUARKUS-5799 external
https://issues.redhat.com/browse/QUARKUS-5800 external
https://issues.redhat.com/browse/QUARKUS-5801 external
https://issues.redhat.com/browse/QUARKUS-5802 external
https://issues.redhat.com/browse/QUARKUS-5803 external
https://issues.redhat.com/browse/QUARKUS-5804 external
https://issues.redhat.com/browse/QUARKUS-5828 external
https://issues.redhat.com/browse/QUARKUS-5829 external
https://issues.redhat.com/browse/QUARKUS-5830 external
https://issues.redhat.com/browse/QUARKUS-5831 external
https://issues.redhat.com/browse/QUARKUS-5832 external
https://issues.redhat.com/browse/QUARKUS-5833 external
https://issues.redhat.com/browse/QUARKUS-5834 external
https://issues.redhat.com/browse/QUARKUS-5835 external
https://issues.redhat.com/browse/QUARKUS-5836 external
https://issues.redhat.com/browse/QUARKUS-5837 external
https://issues.redhat.com/browse/QUARKUS-5838 external
https://issues.redhat.com/browse/QUARKUS-5839 external
https://issues.redhat.com/browse/QUARKUS-5840 external
https://issues.redhat.com/browse/QUARKUS-5841 external
https://issues.redhat.com/browse/QUARKUS-5842 external
https://issues.redhat.com/browse/QUARKUS-5843 external
https://issues.redhat.com/browse/QUARKUS-5844 external
https://issues.redhat.com/browse/QUARKUS-5849 external
https://security.access.redhat.com/data/csaf/v2/a… self
https://access.redhat.com/security/cve/CVE-2025-2240 self
https://bugzilla.redhat.com/show_bug.cgi?id=2351452 external
https://www.cve.org/CVERecord?id=CVE-2025-2240 external
https://nvd.nist.gov/vuln/detail/CVE-2025-2240 external
https://github.com/advisories/GHSA-gfh6-3pqw-x2j4 external
To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update is now available for Red Hat build of Quarkus.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "This release of Red Hat build of Quarkus 3.15.4 includes the following CVE fix:\n\n* io.smallrye/smallrye-fault-tolerance-core: SmallRye Fault Tolerance [quarkus-3.15] (CVE-2025-2240)\n\nFor more information, see the release notes page listed in the References\nsection.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2025:3376",
        "url": "https://access.redhat.com/errata/RHSA-2025:3376"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus\u0026downloadType=distributions\u0026version=3.15.4",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus\u0026downloadType=distributions\u0026version=3.15.4"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/products/quarkus/",
        "url": "https://access.redhat.com/products/quarkus/"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/articles/4966181",
        "url": "https://access.redhat.com/articles/4966181"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5760",
        "url": "https://issues.redhat.com/browse/QUARKUS-5760"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5762",
        "url": "https://issues.redhat.com/browse/QUARKUS-5762"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5763",
        "url": "https://issues.redhat.com/browse/QUARKUS-5763"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5765",
        "url": "https://issues.redhat.com/browse/QUARKUS-5765"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5766",
        "url": "https://issues.redhat.com/browse/QUARKUS-5766"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5767",
        "url": "https://issues.redhat.com/browse/QUARKUS-5767"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5768",
        "url": "https://issues.redhat.com/browse/QUARKUS-5768"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5769",
        "url": "https://issues.redhat.com/browse/QUARKUS-5769"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5770",
        "url": "https://issues.redhat.com/browse/QUARKUS-5770"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5771",
        "url": "https://issues.redhat.com/browse/QUARKUS-5771"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5772",
        "url": "https://issues.redhat.com/browse/QUARKUS-5772"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5773",
        "url": "https://issues.redhat.com/browse/QUARKUS-5773"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5775",
        "url": "https://issues.redhat.com/browse/QUARKUS-5775"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5776",
        "url": "https://issues.redhat.com/browse/QUARKUS-5776"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5777",
        "url": "https://issues.redhat.com/browse/QUARKUS-5777"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5778",
        "url": "https://issues.redhat.com/browse/QUARKUS-5778"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5779",
        "url": "https://issues.redhat.com/browse/QUARKUS-5779"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5780",
        "url": "https://issues.redhat.com/browse/QUARKUS-5780"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5781",
        "url": "https://issues.redhat.com/browse/QUARKUS-5781"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5783",
        "url": "https://issues.redhat.com/browse/QUARKUS-5783"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5784",
        "url": "https://issues.redhat.com/browse/QUARKUS-5784"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5785",
        "url": "https://issues.redhat.com/browse/QUARKUS-5785"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5786",
        "url": "https://issues.redhat.com/browse/QUARKUS-5786"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5787",
        "url": "https://issues.redhat.com/browse/QUARKUS-5787"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5788",
        "url": "https://issues.redhat.com/browse/QUARKUS-5788"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5789",
        "url": "https://issues.redhat.com/browse/QUARKUS-5789"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5790",
        "url": "https://issues.redhat.com/browse/QUARKUS-5790"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5791",
        "url": "https://issues.redhat.com/browse/QUARKUS-5791"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5792",
        "url": "https://issues.redhat.com/browse/QUARKUS-5792"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5793",
        "url": "https://issues.redhat.com/browse/QUARKUS-5793"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5794",
        "url": "https://issues.redhat.com/browse/QUARKUS-5794"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5795",
        "url": "https://issues.redhat.com/browse/QUARKUS-5795"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5796",
        "url": "https://issues.redhat.com/browse/QUARKUS-5796"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5797",
        "url": "https://issues.redhat.com/browse/QUARKUS-5797"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5798",
        "url": "https://issues.redhat.com/browse/QUARKUS-5798"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5799",
        "url": "https://issues.redhat.com/browse/QUARKUS-5799"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5800",
        "url": "https://issues.redhat.com/browse/QUARKUS-5800"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5801",
        "url": "https://issues.redhat.com/browse/QUARKUS-5801"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5802",
        "url": "https://issues.redhat.com/browse/QUARKUS-5802"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5803",
        "url": "https://issues.redhat.com/browse/QUARKUS-5803"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5804",
        "url": "https://issues.redhat.com/browse/QUARKUS-5804"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5828",
        "url": "https://issues.redhat.com/browse/QUARKUS-5828"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5829",
        "url": "https://issues.redhat.com/browse/QUARKUS-5829"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5830",
        "url": "https://issues.redhat.com/browse/QUARKUS-5830"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5831",
        "url": "https://issues.redhat.com/browse/QUARKUS-5831"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5832",
        "url": "https://issues.redhat.com/browse/QUARKUS-5832"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5833",
        "url": "https://issues.redhat.com/browse/QUARKUS-5833"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5834",
        "url": "https://issues.redhat.com/browse/QUARKUS-5834"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5835",
        "url": "https://issues.redhat.com/browse/QUARKUS-5835"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5836",
        "url": "https://issues.redhat.com/browse/QUARKUS-5836"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5837",
        "url": "https://issues.redhat.com/browse/QUARKUS-5837"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5838",
        "url": "https://issues.redhat.com/browse/QUARKUS-5838"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5839",
        "url": "https://issues.redhat.com/browse/QUARKUS-5839"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5840",
        "url": "https://issues.redhat.com/browse/QUARKUS-5840"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5841",
        "url": "https://issues.redhat.com/browse/QUARKUS-5841"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5842",
        "url": "https://issues.redhat.com/browse/QUARKUS-5842"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5843",
        "url": "https://issues.redhat.com/browse/QUARKUS-5843"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5844",
        "url": "https://issues.redhat.com/browse/QUARKUS-5844"
      },
      {
        "category": "external",
        "summary": "QUARKUS-5849",
        "url": "https://issues.redhat.com/browse/QUARKUS-5849"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_3376.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat build of Quarkus 3.15.4 release and security update",
    "tracking": {
      "current_release_date": "2025-11-24T09:23:03+00:00",
      "generator": {
        "date": "2025-11-24T09:23:03+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHSA-2025:3376",
      "initial_release_date": "2025-04-02T13:06:42+00:00",
      "revision_history": [
        {
          "date": "2025-04-02T13:06:42+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2025-04-02T13:06:42+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-24T09:23:03+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat build of Quarkus 3.15.4",
                "product": {
                  "name": "Red Hat build of Quarkus 3.15.4",
                  "product_id": "Red Hat build of Quarkus 3.15.4",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:quarkus:3.15::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat build of Quarkus"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-2240",
      "cwe": {
        "id": "CWE-1325",
        "name": "Improperly Controlled Sequential Memory Allocation"
      },
      "discovery_date": "2025-03-12T02:23:44.660000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2351452"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "smallrye-fault-tolerance: SmallRye Fault Tolerance",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability allows a remote attacker to cause an out-of-memory issue when calling the metrics URI, resulting in a denial of service. As this flaw can be triggered via the network, it has been rated with an important severity.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat build of Quarkus 3.15.4"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-2240"
        },
        {
          "category": "external",
          "summary": "RHBZ#2351452",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2351452"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-2240",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-2240"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-2240",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2240"
        },
        {
          "category": "external",
          "summary": "https://github.com/advisories/GHSA-gfh6-3pqw-x2j4",
          "url": "https://github.com/advisories/GHSA-gfh6-3pqw-x2j4"
        }
      ],
      "release_date": "2025-03-12T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-04-02T13:06:42+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat build of Quarkus 3.15.4"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:3376"
        },
        {
          "category": "workaround",
          "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
          "product_ids": [
            "Red Hat build of Quarkus 3.15.4"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat build of Quarkus 3.15.4"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "smallrye-fault-tolerance: SmallRye Fault Tolerance"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.