Thanks Matt! On Wed, Mar 4, 2026 at 6:47 AM Matt Pavlovich <[email protected]> wrote:
> Ken- > > The severity is a 5.4 > > -Matt > > > On Mar 3, 2026, at 9:49 PM, Ken Liao <[email protected]> wrote: > > > > Thanks Christopher, > > > > Do we know the timeline of when will > > https://www.cve.org/CVERecord?id=CVE-2025-66168 be published? And what > is > > the severity of this CVE? > > > > Ken > > > > On Tue, Mar 3, 2026 at 9:26 AM Christopher L. Shannon < > [email protected]> > > wrote: > > > >> Severity: > >> > >> Affected versions: > >> > >> - Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.2 > >> - Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before > 6.1.9 > >> - Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.2.0 before > 6.2.1 > >> - Apache ActiveMQ All Module (org.apache.activemq:activemq-all) before > >> 5.19.2 > >> - Apache ActiveMQ All Module (org.apache.activemq:activemq-all) 6.0.0 > >> before 6.1.9 > >> - Apache ActiveMQ All Module (org.apache.activemq:activemq-all) 6.2.0 > >> before 6.2.1 > >> - Apache ActiveMQ MQTT Module (org.apache.activemq:activemq-mqtt) before > >> 5.19.2 > >> - Apache ActiveMQ MQTT Module (org.apache.activemq:activemq-mqtt) 6.0.0 > >> before 6.1.9 > >> - Apache ActiveMQ MQTT Module (org.apache.activemq:activemq-mqtt) 6.2.0 > >> before 6.2.1 > >> > >> Description: > >> > >> Apache ActiveMQ does not properly validate the remaining length field > >> which may lead to an overflow during the decoding of malformed > >> packets. When this integer overflow occurs, ActiveMQ may incorrectly > >> compute the total Remaining Length and subsequently misinterpret the > >> payload as multiple MQTT control packets which makes the broker > susceptible > >> to unexpected behavior when interacting with non-compliant clients. This > >> behavior violates the MQTT v3.1.1 specification, which restricts > Remaining > >> Length to a maximum of 4 bytes. The scenario occurs on established > >> connections after the authentication process. Brokers that are not > enabling > >> mqtt transport connectors are not impacted. > >> > >> This issue affects Apache ActiveMQ: before 5.19.2, 6.0.0 to 6.1.8, and > >> 6.2.0 > >> > >> Users are recommended to upgrade to version 5.19.2, 6.1.9, or 6.2.1, > which > >> fixes the issue. > >> > >> Credit: > >> > >> Gai Tanaka <[email protected]> (finder) > >> > >> References: > >> > >> https://activemq.apache.org/ > >> https://www.cve.org/CVERecord?id=CVE-2025-66168 > >> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: [email protected] > >> For additional commands, e-mail: [email protected] > >> For further information, visit: https://activemq.apache.org/contact > >> > >> > >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > For further information, visit: https://activemq.apache.org/contact > > >
