We are using ActiveMQ-5.6.0 version which we confirmed through naming convention in jar files. for eg.ActiveMQ-all-5.6.0.jar. We want to verify whether Denial of service vulnerability is there or not when multiple open connections comes.
We have gone through the link https://issues.apache.org/jira/browse/AMQ-3294 and is given there that it is fixed in revision 1209700 which we are not sure whether the activemq we installed is having or not. We implemented the sample code in POC given there. We have tested for two servers , one with activemq 5.2.0 version and one with 5.6.0 version. In first case, we can see messages like below: --[ ActiveMQ Denial of Service PoC ] [*] Request #0 - Successfully connected to tcp://10.77.164.153:42351 [*] Request #1 - Successfully connected to tcp://10.77.164.153:42351 [*] Request #2 - Successfully connected to tcp://10.77.164.153:42351 [*] Request #3 - Successfully connected to tcp://10.77.164.153:42351 [*] Request #4 - Successfully connected to tcp://10.77.164.153:42351 [*] Request #5 - Successfully connected to tcp://10.77.164.153:42351 [*] Request #6 - Successfully connected to tcp://10.77.164.153:42351 [*] Request #7 - Successfully connected to tcp://10.77.164.153:42351 After some 2000 requests, i am getting out of memory error-cannot create new native thread. Not sure, whetehr this is memory problem in eclipse or sue to this vulnerability. In second case with 5.6.0 version, it is showing till first two lines but nothing proceeded further. --[ ActiveMQ Denial of Service PoC ] [*] Request #0 Please confirm whether this is enough to confirm the 5.6.0 version we are having is not having this vulnerability. Is there any other ways like command or any information in logs to verify that the activemq version 5.6.0 we are having is not vulnerable with multiple open connection which makes the process crash or any ways to reproduce in 5.2.0 version and can compare with 5.6.0 version servers. -- View this message in context: http://activemq.2283324.n4.nabble.com/clarification-over-AMQ-3294-bug-denial-of-service-vulnerability-tp4675084.html Sent from the ActiveMQ - Dev mailing list archive at Nabble.com.
