Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN249
_____________________________________________________________________

DATE                : 04/03/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache ActiveMQ versions prior
                             to 5.19.2, 6.1.9, 6.2.1.

=====================================================================
https://lists.apache.org/thread/h0t5v4gxqffd4stqfw3h3q7sd263gbhl
_____________________________________________________________________

CVE-2025-66168: Apache ActiveMQ, Apache ActiveMQ All Module, Apache
ActiveMQ MQTT Module: MQTT control packet remaining length field is
not properly validated
Severity: 

Affected versions:

- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.2
- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.1.9
- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.2.0 before 6.2.1
- Apache ActiveMQ All Module (org.apache.activemq:activemq-all) before 5.19.2
- Apache ActiveMQ All Module (org.apache.activemq:activemq-all) 6.0.0 before 6.1.9
- Apache ActiveMQ All Module (org.apache.activemq:activemq-all) 6.2.0 before 6.2.1
- Apache ActiveMQ MQTT Module (org.apache.activemq:activemq-mqtt) before 5.19.2
- Apache ActiveMQ MQTT Module (org.apache.activemq:activemq-mqtt) 6.0.0 before 6.1.9
- Apache ActiveMQ MQTT Module (org.apache.activemq:activemq-mqtt) 6.2.0 before 6.2.1

Description:

Apache ActiveMQ does not properly validate the remaining length field
which may lead to an overflow during the decoding of malformed
packets. When this integer overflow occurs, ActiveMQ may incorrectly
compute the total Remaining Length and subsequently misinterpret the
payload as multiple MQTT control packets which makes the broker
susceptible to unexpected behavior when interacting with
non-compliant clients. This behavior violates the MQTT v3.1.1
specification, which restricts Remaining Length to a maximum of 4
bytes. The scenario occurs on established connections after the 
authentication process. Brokers that are not enabling mqtt
transport connectors are not impacted.

This issue affects Apache ActiveMQ: before 5.19.2, 6.0.0 to 6.1.8,
and 6.2.0

Users are recommended to upgrade to version 5.19.2, 6.1.9, or 6.2.1,
which fixes the issue.

Credit:

Gai Tanaka <64...@gmail.com> (finder)

References:

https://activemq.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-66168


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================