CVE-2020-27217

Name of the Vulnerable Software and Affected Versions Eclipse Hono versions 1.3.0 through 1.4.0

Description The AMQP protocol adapter in Eclipse Hono does not verify the size of AMQP messages received from devices. A device may send messages that are bigger than the max-message-size indicated during link establishment, which could be exploited by a hand crafted AMQP 1.0 client to send a message of unlimited size to the adapter, eventually causing the adapter to fail with an out of memory exception.

Recommendations For Eclipse Hono versions 1.3.0 and 1.4.0, consider implementing size verification for AMQP messages received from devices to prevent potential out of memory exceptions. As a temporary workaround, restrict the maximum allowed message size to prevent unlimited size messages from being sent to the adapter. At the moment, there is no information about a newer version that contains a fix for this vulnerability.