CVE-2021-4040: 
Java vulnerability analysis and mitigation

A critical vulnerability (CVE-2021-4040) was discovered in AMQ Broker that could cause a partial interruption to the broker's availability through an Out of Memory (OOM) condition. The vulnerability affects AMQ Broker versions up to (excluding) 7.10.0 and Apache ActiveMQ Artemis versions up to (excluding) 2.19.1. The flaw was discovered in late 2021 and allows attackers to disrupt service availability through maliciously crafted messages (NVD, Red Hat Advisory).

The vulnerability stems from improper handling of XID parsing in the broker, which could lead to an Out-of-bounds Write condition. The issue occurs when a 32-bit integer is read from the stream and a byte array is allocated using this value without performing proper checks, potentially leading to uncontrolled resource consumption. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (NVD, ARTEMIS-3593).

The primary impact of this vulnerability is on system availability. When exploited, the flaw allows attackers to cause a partial disruption of service through uncontrolled resource consumption, specifically leading to an Out of Memory (OOM) condition in the AMQ Broker. The highest threat from this vulnerability is to system availability, with no direct impact on confidentiality or integrity (NVD, Red Hat Bugzilla).

The vulnerability has been fixed in AMQ Broker version 7.10.0 and Apache ActiveMQ Artemis version 2.19.1. Users are advised to upgrade to these versions or later to mitigate the vulnerability. The fix includes implementing proper checks during XID parsing to prevent uncontrolled resource consumption (Red Hat Advisory, Artemis Commit).