CVE-2020-14326: 
Java vulnerability analysis and mitigation

A vulnerability was discovered in RESTEasy (CVE-2020-14326) where RootNode incorrectly caches routes. The vulnerability affects RESTEasy versions 4.2.0 through versions prior to 4.5.6. This security issue was first reported by Ben Manes from Vector (Red Hat Bugzilla).

The vulnerability occurs when API calls are routed by RESTEasy, causing the cache to grow unbounded. Due to keys having the same hash code, each subsequent request becomes slower as more CPU time is spent searching and adding entries. While the MediaTypeHeaderDelegate protects itself using a fixed size cache (default of 200) that clears when exceeding the threshold, the RootNode cache remains unbounded and inaccessible. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD, NetApp Advisory).

When successfully exploited, this vulnerability can lead to a Denial of Service (DoS) condition. A simple load generator could exploit this to make the endpoint unresponsive, as each subsequent request gets progressively slower due to increased CPU time consumption (Red Hat Bugzilla).

The vulnerability has been fixed in RESTEasy version 4.5.6.Final. Users are advised to upgrade to this version or later to address the issue. Red Hat Enterprise Linux 7 and 8 are not affected by this flaw, as they do not ship versions of RESTEasy that contain the vulnerable code (Red Hat Bugzilla).