TOR-021 — metrics-lib – Denial of service in DescriptorImpl getRawDescriptorBytes via descriptor file

The metrics-lib is vulnerable to a DoS attack if attackers can pass it an arbitrary descriptor file. The exploitation of this vulnerability leads to a denial of service. Depending on the usage, it can terminate the entire application that imports the metrics-lib if attackers have control over the contents of a descriptor file.

• Vulnerability type: CWE-789: Memory Allocation with Excessive Size Value
• Threat level: Moderate.

Recommendation: Catch the OutOfMemoryError exception thrown by the JVM and abort the whole parsing process.