Uploaded image for project: 'ActiveMQ Artemis'
  1. ActiveMQ Artemis
  2. ARTEMIS-3593

OOM error on rogue message to Artemis Broker

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • 2.6.2
    • 2.19.1, 2.20.0
    • Broker
    • None

    Description

      A problem been reported by a Security Researcher when a Java process running an embedded Artemis Broker been sent a handcrafted message:

      cat /path/to/dospayload.binary > /dev/tcp/<broker_address>/<broker_port>

      resulting OutOfMemory crash, please see attachment.

      The problem is caused by the fact that a 32-bit integer is read from the stream and byte array is allocated using this value without performing any checks.

      Attachments

        1. CrashDump.log
          160 kB
          Viktor Kolomeyko
        2. dospayload.binary
          0.2 kB
          Viktor Kolomeyko

        Activity

          People

            Unassigned Unassigned
            vkolomeyko Viktor Kolomeyko
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 2h 40m
                2h 40m