Skip to main content

Artemis CVE-2017-12174

HIGH
Uncontrolled Resource Consumption (CWE-400)
2018-03-07 secalert@redhat.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
CVE Published
Mar 07, 2018 - 22:29 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 59 maven packages depend on org.apache.activemq:artemis-native (2 direct, 57 indirect)
  • 18 maven packages depend on org.hornetq:hornetq-server (13 direct, 5 indirect)

Ecosystem-wide dependent count for version 2.4.0 and other introduced versions.

DescriptionNVD

It was found that when Artemis and HornetQ before 2.4.0 are configured with UDP discovery and JGroups discovery a huge byte array is created when receiving an unexpected multicast message. This may result in a heap memory exhaustion, full GC, or OutOfMemoryError.

AnalysisAI

It was found that when Artemis and HornetQ before 2.4.0 are configured with UDP discovery and JGroups discovery a huge byte array is created when receiving an unexpected multicast message. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Technical ContextAI

This vulnerability is classified as Uncontrolled Resource Consumption (CWE-400), which allows attackers to cause denial of service by exhausting system resources. It was found that when Artemis and HornetQ before 2.4.0 are configured with UDP discovery and JGroups discovery a huge byte array is created when receiving an unexpected multicast message. This may result in a heap memory exhaustion, full GC, or OutOfMemoryError. Affected products include: Apache Artemis, Redhat Hornetq, Redhat Jboss Enterprise Application Platform. Version information: before 2.4.0.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Implement rate limiting, set resource quotas, validate input sizes, use timeouts.

CVE-2022-23913 HIGH POC
7.5 Feb 04

In Apache ActiveMQ Artemis prior to 2.20.0 or 2.19.1, an attacker could partially disrupt availability (DoS) through unc

CVE-2026-27446 CRITICAL
9.3 Mar 04

Unauthenticated remote attackers can exploit Apache ActiveMQ Artemis (2.11.0-2.44.0) and Apache Artemis (2.50.0-2.51.0)

CVE-2021-26117 HIGH
7.5 Jan 27

The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. Rated high severit

CVE-2023-50780 HIGH
8.8 Oct 14

Apache ActiveMQ Artemis allows access to diagnostic information and controls through MBeans, which are also exposed thro

CVE-2021-26118 HIGH
7.5 Jan 27

While investigating ARTEMIS-2964 it was found that the creation of advisory messages in the OpenWire protocol head of Ap

CVE-2022-35278 MEDIUM
6.1 Aug 23

In Apache ActiveMQ Artemis prior to 2.24.0, an attacker could show malicious content and/or redirect users to a maliciou

CVE-2021-4040 MEDIUM
5.3 Aug 24

A flaw was found in AMQ Broker. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authent

CVE-2020-13932 MEDIUM
6.1 Jul 20

In Apache ActiveMQ Artemis 2.5.0 to 2.13.0, a specially crafted MQTT packet which has an XSS payload as client-id or top

CVE-2020-10727 MEDIUM
5.5 Jun 26

A flaw was found in ActiveMQ Artemis management API from version 2.7.0 up until 2.12.0, where a user inadvertently store

CVE-2026-40914 MEDIUM
4.3 May 27

Incorrect authorization in Apache ActiveMQ Artemis allows authenticated STOMP protocol clients to modify address routing

Share

CVE-2017-12174 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy