Bug#1104933: activemq: CVE-2025-27533
Salvatore Bonaccorso
carnil at debian.org
Thu May 8 20:41:37 BST 2025
Source: activemq
Version: 5.17.6+dfsg-1
Severity: grave
Tags: security upstream
Forwarded: https://issues.apache.org/jira/browse/AMQ-6596
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for activemq.
CVE-2025-27533[0]:
| Memory Allocation with Excessive Size Value vulnerability in Apache
| ActiveMQ. During unmarshalling of OpenWire commands the size value
| of buffers was not properly validated which could lead to excessive
| memory allocation and be exploited to cause a denial of service
| (DoS) by depleting process memory, thereby affecting applications
| and services that rely on the availability of the ActiveMQ broker
| when not using mutual TLS connections. This issue affects Apache
| ActiveMQ: from 6.0.0 before 6.1.6, from 5.18.0 before 5.18.7, from
| 5.17.0 before 5.17.7, before 5.16.8. ActiveMQ 5.19.0 is not
| affected. Users are recommended to upgrade to version 6.1.6+,
| 5.19.0+, 5.18.7+, 5.17.7, or 5.16.8 or which fixes the issue.
| Existing users may implement mutual TLS to mitigate the risk on
| affected brokers.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-27533
https://www.cve.org/CVERecord?id=CVE-2025-27533
[1] https://issues.apache.org/jira/browse/AMQ-6596
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list