Memory Leak in Cassandra

A memory leak in a Cassandra backend typically appears as unbounded consumption of heap or off‑heap memory during query execution. Common patterns include:

• Returning large result sets without a LIMIT clause, causing the coordinator to buffer entire rows in memory.
• Using ALLOW FILTERING on tables without a proper primary key, which forces full table scans and can exceed heap limits.
• Executing batches with overly large INSERT or UPDATE counts, leading to excessive write buffers.
• Improper use of counters or wide rows that grow without bound, especially when client drivers accumulate results.
• Long‑running aggregations or GROUP BY queries that materialize intermediate data structures.

These issues map to CWE‑400 (Uncontrolled Resource Consumption) and can be triggered by unauthenticated API calls that expose internal storage engines. Real‑world incidents have been linked to CVE‑2021‑41772 (Cassandra 4.0 remote code execution) where malformed queries caused excessive memory allocation.

middleBrick detects potential memory‑leak risks by analyzing the unauthenticated API surface. The scanner:

• Parses CQL statements in request bodies and query parameters for missing LIMIT, unbounded SELECT *, or ALLOW FILTERING usage.
• Inspects request headers and JSON payloads for large batch_size values or excessive IN clause lengths.
• Monitors response size and timing; responses larger than a configurable threshold (e.g., >10 MB) trigger a high severity finding.
• Cross‑references OpenAPI definitions to flag endpoints that accept unconstrained parameters.

Example of a detected pattern:

GET /api/v1/users?status=active&page=0&pageSize=0

middleBrick flags the missing pageSize limit and suggests adding a maximum page size.

In practice, the scanner will raise a finding when it observes any of the following:

• Requests that reference tables with high cardinality without pagination.
• Batch statements exceeding 100 statements.
• Responses that contain more than 10 000 rows without a LIMIT.

These indicators are mapped to OWASP API Top 10 A01:2021 – Broken Access Control when they lead to resource exhaustion.

Remediation focuses on constraining memory usage at the query and driver level. Recommended steps include:

• Always append a LIMIT (or MAXROWS in newer drivers) to queries that could return large result sets.
• Replace SELECT * with explicit column lists to avoid fetching unnecessary data.
• Remove ALLOW FILTERING when a proper secondary index exists; otherwise, redesign the data model.
• Set driver‑level limits such as maxBytesPerPartition and maxResultSize to prevent buffering beyond safe bounds.
• Cap batch sizes; a typical safe maximum is 100 statements per batch.
• Use prepared statements with bound variables to avoid dynamic query parsing that can lead to unbounded allocations.

Code example – adding a limit in Java driver:

PreparedStatement stmt = session.prepare("SELECT * FROM users WHERE tenant_id = ?")
    .setConsistencyLevel(ConsistencyLevel.ONE)
    .bind(tenantId)
    .setBoundStatement(stmt)
    .setPageSize(100); // enforce maximum rows

Example – restricting batch size in CQL:

BEGIN BATCH
  INSERT INTO events (event_id, event_date) VALUES ('e1', toDate('2024-01-01'));
  INSERT INTO events (event_id, event_date) VALUES ('e2', toDate('2024-01-02'));
  -- Do not exceed 100 statements per batch
APPLY BATCH;

Finally, monitor memory usage in production with tools like nodetool metrics and set alerts when heap usage approaches 80 % of available RAM.