Apache ActiveMQ Client, Broker, and All Denial-of-Service Vulnerability via Out of Memory Exhaustion

A denial-of-service vulnerability causing out-of-memory conditions has been identified in Apache ActiveMQ Client, Apache ActiveMQ Broker, and Apache ActiveMQ All. This issue arises in the NIO SSL transports, which improperly manage TLSv1.3 handshake KeyUpdates initiated by clients. As a result, a client can quickly trigger these updates, leading the broker to deplete its memory resources in the SSL engine, causing a denial-of-service condition. Notably, TLS versions prior to 1.3, such as TLSv1.2, exhibit similar issues but do not result in out-of-memory conditions. Instead, they require a complete handshake renegotiation, causing connections to hang without consuming additional memory. This vulnerability affects Apache ActiveMQ Client versions prior to 5.19.4 and 6.0.0 versions prior to 6.2.4, as well as Apache ActiveMQ Broker and Apache ActiveMQ All under the same version conditions.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, where the broker exhausts its memory resources, causing disruptions in service.

Remediation

Users are advised to upgrade to Apache ActiveMQ versions 6.2.4 or 5.19.5, both of which address this vulnerability.