1696012 – (CVE-2019-0222) CVE-2019-0222 activemq: Corrupt MQTT frame can cause broker shutdown

Bug 1696012 (CVE-2019-0222) - CVE-2019-0222 activemq: Corrupt MQTT frame can cause broker shutdown

Summary: CVE-2019-0222 activemq: Corrupt MQTT frame can cause broker shutdown

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-0222
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1696013
Blocks:	1696014
TreeView+	depends on / blocked

Reported:	2019-04-04 02:51 UTC by Pedro Sampaio
Modified:	2020-12-15 15:44 UTC (History)
CC List:	60 users (show)
Fixed In Version:	activemq 5.15.9
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-03-23 10:32:04 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:0922	0	None	None	None	2020-03-23 08:21:48 UTC
Red Hat Product Errata	RHSA-2020:1445	0	None	None	None	2020-04-14 13:04:56 UTC

Description Pedro Sampaio 2019-04-04 02:51:46 UTC

In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive.

References:

http://activemq.apache.org/security-advisories.data/CVE-2019-0222-announcement.txt

Comment 1 Pedro Sampaio 2019-04-04 02:52:03 UTC

Created activemq tracking bugs for this issue:

Affects: fedora-all [bug 1696013]

Comment 2 Doran Moppert 2019-05-08 06:17:54 UTC

This flaw is in ActiveMQ 5.x, not ActiveMQ Artemis which is a different codebase based on HornetMQ.

Comment 3 Joshua Padman 2019-05-15 23:03:09 UTC

This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss A-MQ 6
 * Red Hat JBoss Fuse Service Works 6
 * Red Hat JBoss Fuse 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 4 Paramvir jindal 2019-07-22 10:32:29 UTC

Since this is not an issue with ActiveMQ Artemis, JDG and RHSSO are not affected.

Comment 5 Joshua Padman 2019-08-12 01:19:04 UTC

This vulnerability is out of security support scope for the following products:
 * JBoss Developer Studio 11

Please refer to https://access.redhat.com/node/4027141 for more details.

Comment 9 errata-xmlrpc 2020-03-23 08:21:39 UTC

This issue has been addressed in the following products:

  Red Hat AMQ

Via RHSA-2020:0922 https://access.redhat.com/errata/RHSA-2020:0922

Comment 10 Product Security DevOps Team 2020-03-23 10:32:04 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-0222

Comment 11 errata-xmlrpc 2020-04-14 13:04:52 UTC

This issue has been addressed in the following products:

  Red Hat AMQ 7.4.3

Via RHSA-2020:1445 https://access.redhat.com/errata/RHSA-2020:1445

Note You need to log in before you can comment on or make changes to this bug.

agrimm
aileenc
alazarot
anstephe
ataylor
bmaxwell
bmcclain
cdewolf
chazlett
csutherl
darran.lofthouse
dblechte
dfediuck
dimitris
dosoudil
drieden
eedri
etirelli
ganandan
ggaughan
gvarsami
ibek
janstey
java-sig-commits
jawilson
jcoleman
jochrist
jshepherd
jwon
kconner
krathod
kverlaen
ldimaggi
lgao
mgoldboi
michal.skrivanek
myarboro
nwallace
paradhya
pdrozd
pgier
pslavice
psotirop
puntogil
rnetuka
rrajasek
rsvoboda
rsynek
rwagner
rzhang
sbonazzo
sdaley
sherold
s
sthorger
tcunning
tdawson
tkirby
twalsh
vtunka