Vulnerability CVE-2019-0222


Published: 2019-03-28

Description:
In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive.

Type:

CWE-94

(Improper Control of Generation of Code ('Code Injection'))

Vendor: Apache
Product: Activemq 
Version:
5.9.1
5.9.0
5.8.0
5.7.0
5.6.0
5.5.1
5.5.0
5.4.3
5.4.2
5.4.1
5.4.0
5.3.2
5.3.1
5.3.0
5.2.0
5.15.8
5.15.7
5.15.6
5.15.5
5.15.4
5.15.3
5.15.2
5.15.1
5.15.0
5.14.5
5.14.4
5.14.3
5.14.2
5.14.1
5.14.0
5.13.5
5.13.4
5.13.3
5.13.2
5.13.1
5.13.0
5.12.3
5.12.2
5.12.1
5.12.0
5.11.3
5.11.2
5.11.1
5.11.0
5.10.2
5.10.1
5.10.0
5.1.0
5.0.0
Vendor: Netapp
Product: E-series santricity web services 

CVSS2 => (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
None
Partial

 References:
http://activemq.apache.org/security-advisories.data/CVE-2019-0222-announcement.txt
http://www.openwall.com/lists/oss-security/2019/03/27/2
http://www.securityfocus.com/bid/107622
https://lists.apache.org/thread.html/03f91b1fb85686a848cee6b90112cf6059bd1b21b23bacaa11a962e1@%3Cdev.activemq.apache.org%3E
https://lists.apache.org/thread.html/2b5c0039197a4949f29e1e2c9441ab38d242946b966f61c110808bcc@%3Ccommits.activemq.apache.org%3E
https://lists.apache.org/thread.html/71640324661c1b6d0b6708bd4fb20170e1b979370a4b8cddc4f8d485@%3Cdev.activemq.apache.org%3E
https://lists.apache.org/thread.html/7da9636557118178b1690ba0af49c8a7b7b97d925218b5774622f488@%3Cusers.activemq.apache.org%3E
https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2@%3Ccommits.activemq.apache.org%3E
https://lists.apache.org/thread.html/d1e334bd71d6e68462c62c726fe6db565c7a6283302f9c1feed087fa@%3Ccommits.activemq.apache.org%3E
https://lists.apache.org/thread.html/fcbe6ad00f1de142148c20d813fae3765dc4274955e3e2f3ca19ff7b@%3Cdev.activemq.apache.org%3E
https://security.netapp.com/advisory/ntap-20190502-0006/
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Related CVE
CVE-2019-5498
OnCommand Insight versions through 7.3.6 may disclose sensitive account information to an authenticated user.
CVE-2019-5502
SMB in Data ONTAP operating in 7-Mode versions prior to 8.2.5P3 has weak cryptography which when exploited could lead to information disclosure or addition or modification of data.
CVE-2019-5501
Data ONTAP operating in 7-Mode versions prior to 8.2.5P3 may disclose sensitive LDAP account information to unauthenticated remote attackers.
CVE-2019-5493
Data ONTAP operating in 7-Mode versions prior to 8.2.5P3 are susceptible to a vulnerability which discloses information to an unauthenticated attacker. A successful attack requires that multiple non-default options be enabled.
CVE-2019-5497
NetApp AFF A700s Baseboard Management Controller (BMC) firmware versions 1.22 and higher were shipped with a default account enabled that could allow unauthorized arbitrary command execution.
CVE-2019-8936
NTP through 4.2.8p12 has a NULL Pointer Dereference.
CVE-2019-5492
Element Plug-in for vCenter Server versions prior to 4.2.3 may disclose sensitive account information to an unauthenticated attacker. NetApp HCI Compute Node versions prior to 1.4P2 bundle affected versions of Element Plug-in for vCenter Server.
CVE-2019-11035
When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.28, 7.2.x below 7.2.17 and 7.3.x below 7.3.4 can be caused to read past allocated buffer in exif_iif_add_value function. This may lead to information disclosure or crash.

Copyright 2019, cxsecurity.com

 

Back to Top