Christopher L. Shannon

**Name of the Vulnerable Software and Affected Versions** Apache ActiveMQ versions 6.0.0 through 6.1.6 Apache ActiveMQ versions 5.18.0 through 5.18.7 Apache ActiveMQ versions 5.17.0 through 5.17.7 Apache ActiveMQ versions prior to 5.16.8 **Description** The issue is related to a Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ. During unmarshalling of OpenWire commands, the size value of buffers was not properly validated, which could lead to excessive memory allocation and be exploited to cause a denial of service (DoS) by depleting process memory. This affects applications and services that rely on the availability of the ActiveMQ broker when not using mutual TLS connections. It is estimated that over 41.9 million services may be affected. **Recommendations** To resolve the issue, upgrade to version 6.1.6 or later. To resolve the issue, upgrade to version 5.19.0 or later. To resolve the issue, upgrade to version 5.18.7 or later. To resolve the issue, upgrade to version 5.17.7 or later. To resolve the issue, upgrade to version 5.16.8 or later. As a temporary workaround, consider implementing mutual TLS to mitigate the risk on affected brokers.