Apache ActiveMQ Memory Allocation Vulnerability Leading to Denial-of-Service

A vulnerability in Apache ActiveMQ related to memory allocation has been identified. During the unmarshalling of OpenWire commands, the size values of buffers were not adequately validated. This oversight could result in excessive memory allocation, which could be exploited to cause a denial-of-service (DoS) condition by exhausting process memory. Such an impact would disrupt applications and services dependent on the ActiveMQ broker's availability, particularly when not using mutual TLS connections. The vulnerability affects Apache ActiveMQ versions 6.0.0 prior to 6.1.6, 5.18.0 prior to 5.18.7, 5.17.0 prior to 5.17.7, and 5.16.0 prior to 5.16.8. ActiveMQ 5.19.0 is not affected.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition by depleting process memory, causing applications and services that rely on the ActiveMQ broker to become unavailable.

Remediation

Users are advised to upgrade to Apache ActiveMQ versions 6.1.6 or later, 5.19.0 or later, 5.18.7 or later, 5.17.7, or 5.16.8. For existing users, implementing mutual TLS can help mitigate the risk on affected brokers.