[ARTEMIS-3593] OOM error on rogue message to Artemis Broker - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 2.6.2
Fix Version/s: 2.19.1, 2.20.0
Component/s: Broker
Labels:
None

Description

A problem been reported by a Security Researcher when a Java process running an embedded Artemis Broker been sent a handcrafted message:

cat /path/to/dospayload.binary > /dev/tcp/<broker_address>/<broker_port>

resulting OutOfMemory crash, please see attachment.

The problem is caused by the fact that a 32-bit integer is read from the stream and byte array is allocated using this value without performing any checks.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

CrashDump.log
30/Nov/21 10:05
160 kB
Viktor Kolomeyko
dospayload.binary
30/Nov/21 10:05
0.2 kB
Viktor Kolomeyko

Issue Links

links to

GitHub Pull Request #3862

GitHub Pull Request #3871

Activity

People

Assignee:: Unassigned

Reporter:: Viktor Kolomeyko

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 30/Nov/21 10:05

Updated:: 07/Feb/22 17:36

Resolved:: 20/Jan/22 14:02

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

2h 40m