CVE-2017-12174 — HIGH (7.5)

Q: How severe is CVE-2017-12174?

CVE-2017-12174 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2017-12174?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Activemq Artemis, Redhat Hornetq, Redhat Jboss Enterprise Application Platform, Redhat Enterprise Linux.

Vulnerability Description

It was found that when Artemis and HornetQ before 2.4.0 are configured with UDP discovery and JGroups discovery a huge byte array is created when receiving an unexpected multicast message. This may result in a heap memory exhaustion, full GC, or OutOfMemoryError.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Activemq Artemis	< 2.4.0
Redhat	Hornetq	< 2.4.0
Redhat	Jboss Enterprise Application Platform	6.4.0
Redhat	Enterprise Linux	7.0

Related Weaknesses (CWE)

CWE-400

References

https://access.redhat.com/errata/RHSA-2018:0268Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:0269Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:0270Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:0271Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:0275Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:0478Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:0479Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:0480Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:0481Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12174Issue TrackingVendor Advisory
https://lists.apache.org/thread.html/rb2fd3bf2dce042e0ab3f3c94c4767c96bb2e7e6737
https://lists.apache.org/thread.html/rc96ad63f148f784c84ea7f0a178c84a8985c6afcca
https://access.redhat.com/errata/RHSA-2018:0268Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:0269Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:0270Vendor Advisory

FAQ

What is CVE-2017-12174?

CVE-2017-12174 is a vulnerability with a CVSS score of 7.5 (HIGH). It was found that when Artemis and HornetQ before 2.4.0 are configured with UDP discovery and JGroups discovery a huge byte array is created when receiving an unexpected multicast message. This may re...

How severe is CVE-2017-12174?

CVE-2017-12174 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2017-12174?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Activemq Artemis, Redhat Hornetq, Redhat Jboss Enterprise Application Platform, Redhat Enterprise Linux.