Apache ActiveMQ Vulnerability Allows Attackers to Induce DoS Condition

Critical vulnerability in Apache ActiveMQ (CVE-2024-XXXX) exposes brokers to denial-of-service (DoS) attacks by allowing malicious actors to exhaust system memory through specially crafted OpenWire commands.

The flaw, tracked as AMQ-6596, affects multiple legacy versions of the widely used open-source messaging platform and has prompted urgent mitigation directives from the Apache Software Foundation.

The vulnerability stems from inadequate validation of buffer size parameters during OpenWire protocol unmarshalling-a process where serialized network data converts into Java objects.

Attackers exploiting this flaw can transmit manipulated OpenWire packets containing excessively large buffer size values, forcing vulnerable brokers to allocate disproportionate memory resources.

Affected versions include:

• Apache ActiveMQ 6.x: All versions from 6.0.0 through 6.1.5
• Apache ActiveMQ 5.x: Versions 5.18.0–5.18.6, 5.17.0–5.17.6, and all releases prior to 5.16.8

Notably, ActiveMQ 5.19.0 and later remain unaffected due ...