Apache ActiveMQ Artemis DoS

Vulnerability

In Apache ActiveMQ Artemis prior to version 2.20.0 and 2.19.1, a memory exhaustion vulnerability exists in the parsing of XA transaction identifiers (XIDs). The code path is reachable when the broker receives a handcrafted, oversized XID, leading to uncontrolled resource consumption of memory. The issue is tracked as ARTEMIS-3593 and was addressed by a commit that adds defense against OOM (Out-of-Memory) errors during XID parsing [1][2][3].

Exploitation

An attacker with network access to the Artemis broker can send a specially crafted binary message containing an oversized XID. No authentication is required to trigger the vulnerable code path; the attacker simply sends the malicious payload to the broker's port. The broker then attempts to parse the XID, allocating excessive memory without proper bounds checking [3][4].

Impact

Successful exploitation results in uncontrolled memory consumption, causing the broker to run out of memory and leading to a partial denial of service (DoS) scenario. Availability of the messaging service is disrupted, as the broker may crash or become unresponsive. Confidentiality and integrity are not directly affected [4].

Mitigation

The vulnerability is fixed in Apache ActiveMQ Artemis versions 2.20.0 and 2.19.1 (released in January/February 2022). Users should upgrade to one of these versions or later. No workarounds are documented in the available references; upgrading is the recommended mitigation [1][2][4].