Apache ActiveMQ Remaining Length Field Validation Vulnerability in MQTT Control Packets

A vulnerability exists in Apache ActiveMQ in versions prior to 5.19.2, as well as in the 6.0.0 to 6.1.8 range and 6.2.0 prior to 6.2.1. The issue arises because ActiveMQ does not properly validate the remaining length field in MQTT control packets, which can lead to an integer overflow when decoding malformed packets. This overflow allows ActiveMQ to incorrectly calculate the total remaining length, misinterpreting the payload as multiple MQTT control packets. As a result, the broker may exhibit unexpected behavior when dealing with non-compliant clients, violating the MQTT v3.1.1 specification that limits the remaining length to a maximum of 4 bytes. This vulnerability occurs on established connections after authentication, but only on brokers with MQTT transport connectors enabled.

Impact

Exploitation of this vulnerability can cause an integer overflow, leading to incorrect processing of MQTT control packets. This mismanagement can disrupt normal broker operations, especially when interacting with non-compliant clients.

Remediation

Users are advised to upgrade to Apache ActiveMQ versions 5.19.2, 6.1.9, or 6.2.1, all of which address this vulnerability.