CVE-2020-27217
CVE-2020-27217
In short
Eclipse Hono's AMQP adapter doesn't check if incoming messages from devices exceed the declared size limit, allowing an attacker to send oversized messages that crash the adapter by consuming all memory.
Technical detail
The AMQP protocol adapter in Eclipse Hono 1.3.0–1.4.0 fails to validate incoming message sizes against the max-message-size announced during link establishment, violating AMQP 1.0 specification. A malicious device can send arbitrarily large messages, triggering an out-of-memory exception and causing denial of service to the adapter.
Summary generated and translated by AI from the official description.
In Eclipse Hono version 1.3.0 and 1.4.0 the AMQP protocol adapter does not verify the size of AMQP messages received from devices. In particular, a device may send messages that are bigger than the max-message-size that the protocol adapter has indicated during link establishment. While the AMQP 1.0 protocol explicitly disallows a peer to send such messages, a hand crafted AMQP 1.0 client could exploit this behavior in order to send a message of unlimited size to the adapter, eventually causing the adapter to fail with an out of memory exception.
Affected products
The Eclipse Foundation · Eclipse HonoWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →