By repeatedly requesting a feature that consumes a lot of memory, attackers can constantly occupy an important part of an application’s hosting
server memory. Depending on the application’s deployment architecture, hosting server resources and attackers' capabilities, this can lead to an
exhaustion of the available server’s memory.
What is the potential impact?
A server that faces a memory exhaustion situation can become unstable. The exact impact will depend on how the affected application is deployed and
how well the hosting server configuration is hardened.
In the worst case, when the application is deployed in an uncontained environment, directly on its host system, the memory exhaustion will affect
the whole hosting server. The server’s operating system might start killing arbitrary memory-intensive processes, including the main application or
other sensitive ones. This will result in a general operating failure, also known as a Denial of Service (DoS).
In cases where the application is deployed in a virtualized or otherwise contained environment, or where memory usage limits are in place, the
consequences are limited to the vulnerable application only. In that case, other processes and applications hosted on the same server may keep on
running without perturbation. The mainly affected application will still stop working properly.
In general, that kind of DoS attack can have severe financial consequences. They are particularly important when the affected systems are
business-critical.
