| CVE-2017-12174: Memory exhaustion via UDP and JGroups discovery |
| |
| Severity: High |
| |
| Vendor: The Apache Software Foundation |
| |
| Versions Affected: 1.0.0, 1.1.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.5.1, |
| 1.5.2, 1.5.3, 1.5.4, 1.5.5, 2.0.0, 2.1.0, 2.2.0, 2.3.0 |
| |
| Description: |
| |
| If an Apache Artemis broker is configured with discovery enabled (either |
| UDP or JGroups), on receiving of a packet over a discovery endpoint, Apache |
| Artemis will attempt to decode the packet and as part of it an encoded |
| simple string. The first four bytes of the encoded simple string represent |
| it's length. During the decoding process Apache Artemis will create a byte |
| array of the same length. It is possible therefore to send a manipulated |
| packet to Apache Artemis with a very large integer in the first four bytes |
| of the simple string encoding. Upon receiving the packet the broker will |
| attempt to allocate a byte array of this large size. This could result in |
| heap memory exhaustion, full GC or in the worst case an unrecoverable |
| OutOfMemoryError, resulting in loss of service. |
| |
| Mitigation: Upgrade to Apache Artemis 1.5.6 or 2.4.0 |
| |
| Credit: This issue was discovered by Bharti Kundal of Red Hat Inc. |