[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE Request for Apache ActiveMQ DoS
From: Kurt Seifried <kseifried () redhat ! com>
Date: 2011-12-25 19:13:00
Message-ID: 4EF775BC.2010201 () redhat ! com
[Download RAW message or body]
On 12/24/2011 05:37 PM, David Jorm wrote:
> A flaw in Apache ActiveMQ before 5.6.0 could allow a remote unauthenticated
> attacker to abuse the 'failover' feature, allowing them to trigger a denial of
> service against the broker service. An attacker can issue multiple ActiveMQ
> openwire connection requests using the string 'failover:tcp://[IP]:61616', and
> due to the 'failure' mechanism, all TCP connections remain active even if a
> valid session is not created. After a few thousand requests, a
> 'java.net.SocketException: Too many open files' exception is triggered, leading
> to a freeze or crash of the broker (and possibly connected systems as well).
>
> Upstream bug:
> https://issues.apache.org/jira/browse/AMQ-3294
>
> Secunia advisory:
> http://secunia.com/advisories/47112
>
> Patch commits:
> http://svn.apache.org/viewvc?view=revision&revision=1209700
> http://svn.apache.org/viewvc?view=revision&revision=1211844
>
Please use CVE-2011-4905 for this issue.
--
-Kurt Seifried / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic