activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Karthiek <kmara...@cisco.com>
Subject clarification over AMQ-3294 bug denial of service vulnerability
Date Wed, 04 Dec 2013 09:32:19 GMT
We are using ActiveMQ-5.6.0 version which we confirmed through naming
convention in jar files. for eg.ActiveMQ-all-5.6.0.jar. We want to verify
whether Denial of service vulnerability is there or not when multiple open
connections comes.

We have gone through the link https://issues.apache.org/jira/browse/AMQ-3294
and is given there that it is fixed in revision 1209700 which we are not
sure whether the activemq we installed is having or not. We implemented the
sample code in POC given there. We have tested for two servers , one with
activemq 5.2.0 version and one with 5.6.0 version.

In first case, we can see messages like below:
--[ ActiveMQ Denial of Service PoC ]

[*] Request #0
- Successfully connected to tcp://10.77.164.153:42351
[*] Request #1
- Successfully connected to tcp://10.77.164.153:42351
[*] Request #2
- Successfully connected to tcp://10.77.164.153:42351
[*] Request #3
- Successfully connected to tcp://10.77.164.153:42351
[*] Request #4
- Successfully connected to tcp://10.77.164.153:42351
[*] Request #5
- Successfully connected to tcp://10.77.164.153:42351
[*] Request #6
- Successfully connected to tcp://10.77.164.153:42351
[*] Request #7
- Successfully connected to tcp://10.77.164.153:42351

After some 2000 requests, i am getting out of memory error-cannot create new
native thread.
Not sure, whetehr this is memory problem in eclipse or sue to this
vulnerability.

In second case with 5.6.0 version, it is showing till first two lines but
nothing proceeded further.

--[ ActiveMQ Denial of Service PoC ]

[*] Request #0

Please confirm whether this is enough to confirm the 5.6.0 version we are
having is not having this vulnerability.


Is there any other ways like command or any information in logs to verify
that the activemq version 5.6.0 we are having is not vulnerable with
multiple open connection which makes the process crash or any ways to
reproduce in 5.2.0 version and can compare with 5.6.0 version servers.



--
View this message in context: http://activemq.2283324.n4.nabble.com/clarification-over-AMQ-3294-bug-denial-of-service-vulnerability-tp4675084.html
Sent from the ActiveMQ - Dev mailing list archive at Nabble.com.

Mime
View raw message