Seen in the field with PE. In trapperkeeper-webserver-jetty9 (and possibly other versions), it naively loads the full contents of the file provided by the :ssl-crl-path config option. If the file is huge and you don't have enough heap, it's OOM time.
I think this is coming from https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/blob/master/java/com/puppetlabs/trapperkeeper/services/webserver/jetty9/utils/InternalSslContextFactory.java. We see tons of sun.security.x509.X509CRLEntryImpl objects (retained by sun.security.x509.X509CRLImpl) in the heap dump from the one incident. I'm not sure whether this impacts the underlying Jetty SslContextFactory or not; but either way to we should try to get this to load the data more carefully.