It is possible to shutdown an ActiveMQ broker remotely without authentication. The offending network packet is sent to the same port as a message consumer or producer would connect to. If the port is exposed, the attack will be possible. Apache ActiveMQ versions 5.0.0 through 5.10.1 are affected.
1a5c7436172e37ca0992c82ef6908079a93087a9cf4257c43499a47fa09a74a1
CVE-2014-3576: Remote Unauthenticated Shutdown of Broker (DoS)
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Apache ActiveMQ 5.0.0 - 5.10.1
Description:
It is possible to shutdown an ActiveMQ broker remotely without authentication. The offending network packet is sent to the same port as a message consumer or producer would connect to. If the port is exposed,
the attack will be possible.
Mitigation:
Upgrade to Apache ActiveMQ 5.11.0