CVE-2017-12174

Impact:
Important
Public Date:
2018-02-05
CWE:
CWE-20
Bugzilla:
1498378: CVE-2017-12174 artemis/hornetq: memory exhaustion via UDP and JGroups discovery
It was found that when Artemis and HornetQ are configured with UDP discovery and JGroups discovery a huge byte array is created when receiving an unexpected multicast message. This may result in a heap memory exhaustion, full GC, or OutOfMemoryError.

Find out more about CVE-2017-12174 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

CVSS3 Base Score 7.5
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Impact None
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Enterprise Application Platform 6.4 RHSA-2018:0269 2018-02-05
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server (hornetq) RHSA-2018:0271 2018-02-05
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server RHSA-2018:0480 2018-03-12
Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server (hornetq) RHSA-2018:0268 2018-02-05
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (jboss-ec2-eap) RHSA-2018:0275 2018-02-05
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server (eap7-jboss-ec2-eap) RHSA-2018:0481 2018-03-12
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server (eap7-jboss-ec2-eap) RHSA-2018:0481 2018-03-12
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server RHSA-2018:0479 2018-03-12
Red Hat JBoss EAP 7 RHSA-2018:0478 2018-03-12
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (hornetq) RHSA-2018:0270 2018-02-05

Affected Packages State

Platform Package State
Red Hat JBoss Operations Network 3 hornetq Not affected

Acknowledgements

This issue was discovered by Masafumi Miura (Red Hat).
Last Modified