CVE-2017-12174: Memory exhaustion via UDP and JGroups discovery

Severity: High

Vendor: The Apache Software Foundation

Versions Affected: 1.0.0, 1.1.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.5.1,
1.5.2, 1.5.3, 1.5.4, 1.5.5, 2.0.0, 2.1.0, 2.2.0, 2.3.0

Description:

If an Apache Artemis broker is configured with discovery enabled (either
UDP or JGroups), on receiving of a packet over a discovery endpoint, Apache
Artemis will attempt to decode the packet and as part of it an encoded
simple string.  The first four bytes of the encoded simple string represent
it's length.  During the decoding process Apache Artemis will create a byte
array of the same length.  It is possible therefore to send a manipulated
packet to Apache Artemis with a very large integer in the first four bytes
of the simple string encoding.  Upon receiving the packet the broker will
attempt to allocate a byte array of this large size.  This could result in
heap memory exhaustion, full GC or in the worst case an unrecoverable
OutOfMemoryError, resulting in loss of service.

Mitigation: Upgrade to Apache Artemis 1.5.6 or 2.4.0

Credit: This issue was discovered by Bharti Kundal of Red Hat Inc.