CVE-2022-23913 - Vulnerability Details

Description

In Apache ActiveMQ Artemis prior to 2.20.0 or 2.19.1, an attacker could partially disrupt availability (DoS) through uncontrolled resource consumption of memory.

Published: 2022-02-04

Score: 7.5 High

EPSS: 2.4% Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apache Software Foundation

Apache ActiveMQ Artemis

affected

Version	Status	Constraints
`2.19.0`	affected	< 2.20.0

Configuration 1 [-]

cpe:2.3:a:apache:activemq_artemis:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::windows::
	cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*

Package	CPE	Advisory	Released Date
Red Hat AMQ 7.10.0
artemis-commons	cpe:/a:redhat:amq_broker:7	RHSA-2022:5101	2022-06-16T00:00:00Z
Red Hat Fuse 7.11
artemis-commons	cpe:/a:redhat:jboss_fuse:7	RHSA-2022:5532	2022-07-07T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7
artemis-commons	cpe:/a:redhat:jboss_enterprise_application_platform:7.4	RHSA-2022:4922	2022-06-06T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7
eap7-activemq-artemis-0:1.5.5.016-1.redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:4226	2025-04-28T00:00:00Z
eap7-artemis-native-1:1.5.5.016-1.redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:4226	2025-04-28T00:00:00Z
eap7-jboss-xnio-base-0:3.5.11-1.Final_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:4226	2025-04-28T00:00:00Z
eap7-jsoup-0:1.14.2-1.redhat_00002.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:4226	2025-04-28T00:00:00Z
eap7-undertow-0:1.4.18-14.SP13_redhat_00001.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:4226	2025-04-28T00:00:00Z
eap7-wildfly-0:7.1.10-2.GA_redhat_00002.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:4226	2025-04-28T00:00:00Z
eap7-woodstox-core-0:5.0.3-2.redhat_00002.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:4226	2025-04-28T00:00:00Z
eap7-xml-security-0:2.0.10-2.redhat_00002.1.ep7.el7	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7	RHSA-2025:4226	2025-04-28T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7
eap7-activemq-artemis-0:2.9.0-10.redhat_00021.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:4437	2025-05-05T00:00:00Z
eap7-gson-0:2.8.9-1.redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:4437	2025-05-05T00:00:00Z
eap7-hal-console-0:3.2.18-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:4437	2025-05-05T00:00:00Z
eap7-jboss-server-migration-0:1.7.2-14.Final_redhat_00015.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:4437	2025-05-05T00:00:00Z
eap7-jboss-xnio-base-0:3.7.14-3.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:4437	2025-05-05T00:00:00Z
eap7-wildfly-0:7.3.13-4.GA_redhat_00002.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:4437	2025-05-05T00:00:00Z
eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7	RHSA-2025:4437	2025-05-05T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
eap7-activemq-artemis-0:2.16.0-9.redhat_00042.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2022:4919	2022-06-06T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
eap7-activemq-artemis-0:2.16.0-9.redhat_00042.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2022:4918	2022-06-06T00:00:00Z
Red Hat Single Sign-On 7.6.1
	cpe:/a:redhat:red_hat_single_sign_on:7.6.1	RHSA-2022:7417	2022-11-03T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 7
rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el7	RHSA-2022:7409	2022-11-03T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 8
rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el8	RHSA-2022:7410	2022-11-03T00:00:00Z
Red Hat Single Sign-On 7.6 for RHEL 9
rh-sso7-0:1-5.el9sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el9	RHSA-2022:7411	2022-11-03T00:00:00Z
rh-sso7-javapackages-tools-0:6.0.0-7.el9sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el9	RHSA-2022:7411	2022-11-03T00:00:00Z
rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso	cpe:/a:redhat:red_hat_single_sign_on:7.6::el9	RHSA-2022:7411	2022-11-03T00:00:00Z
RHPAM 7.13.1 async
artemis-commons	cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13	RHSA-2022:6813	2022-10-05T00:00:00Z

No data available yet.

Remediation

Vendor Workaround

Upgrade to Apache ActiveMQ Artemis 2.20.0 or 2.19.1 (if you're still using Java 8).

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2022-1134	In Apache ActiveMQ Artemis prior to 2.20.0 or 2.19.1, an attacker could partially disrupt availability (DoS) through uncontrolled resource consumption of memory.
Github GHSA	GHSA-pr38-qpxm-g88x	Apache ActiveMQ Artemis Uncontrolled Resource Consumption (DoS)

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.02409.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://lists.apache.org/thread/fjynj57rd99s814rdn5hzvmx8lz403q2
https://nvd.nist.gov/vuln/detail/CVE-2022-23913
https://security.netapp.com/advisory/ntap-20220303-0003/
https://www.cve.org/CVERecord?id=CVE-2022-23913

History

Mon, 14 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00178}`	epss `{'score': 0.00202}`

Mon, 05 May 2025 14:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7

Mon, 28 Apr 2025 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat jboss Enterprise Application Platform Eus
CPEs		cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7
Vendors & Products		Redhat jboss Enterprise Application Platform Eus

Subscriptions

Apache Activemq Artemis

Netapp Active Iq Unified Manager Oncommand Workflow Automation

Redhat Amq Broker Jboss Enterprise Application Platform Jboss Enterprise Application Platform Eus Jboss Enterprise Bpms Platform Jboss Fuse Red Hat Single Sign On

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2022-02-04T22:33:01.000Z

Updated: 2024-08-03T03:59:22.547Z

Reserved: 2022-01-24T00:00:00.000Z

Link: CVE-2022-23913

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-02-04T23:15:15.827

Modified: 2024-11-21T06:49:27.153

Link: CVE-2022-23913

Redhat

Severity : Moderate

Publid Date: 2022-02-04T00:00:00Z

Links: CVE-2022-23913 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object