Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN279

_____________________________________________________________________

DATE                : 06/05/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache ActiveMQ versions prior
                    to 6.1.6+, 5.19.0+,  5.18.7+, 5.17.7, or 5.16.8.

=====================================================================
https://lists.apache.org/thread/fotongz1nzwdtgoo19063g3hy84phptl
_____________________________________________________________________

CVE-2025-27533: Apache ActiveMQ: Unchecked buffer length can cause
excessive memory allocation
Affected versions:

- Apache ActiveMQ 6.0.0 before 6.1.6
- Apache ActiveMQ 5.18.0 before 5.18.7
- Apache ActiveMQ 5.17.0 before 5.17.7
- Apache ActiveMQ 5.16.0 before 5.16.8


Description:

Memory Allocation with Excessive Size Value vulnerability in Apache
ActiveMQ.

During unmarshalling of OpenWire commands the size value of buffers
was not properly validated which could lead to excessive memory
allocation and be exploited to cause a denial of service (DoS) by
depleting process memory, thereby affecting applications and services
that rely on the availability of the ActiveMQ broker when not using
mutual TLS connections.

This issue affects Apache ActiveMQ: from 6.0.0 before 6.1.6, from
5.18.0 before 5.18.7, from 5.17.0 before 5.17.7, before 5.16.8.
ActiveMQ 5.19.0 is not affected.

Users are recommended to upgrade to version 6.1.6+, 5.19.0+,  5.18.7+,
5.17.7, or 5.16.8 or which fixes the issue.

Existing users may implement mutual TLS to mitigate the risk on
affected brokers.

This issue is being tracked as AMQ-6596 


References:

https://activemq.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-27533
https://issues.apache.org/jira/browse/AMQ-6596


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================