CVE-2014-3612
First published: Mon Aug 24 2015(Updated: )
Apache ActiveMQ could allow a remote authenticated attacker to bypass security restrictions, caused by an error in the LDAPLoginModule implementation. By sending an empty password, an attacker could exploit this vulnerability to bypass the authentication mechanism of an application using LDAPLoginModule and assume the role of another user.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IBM Security Directory Suite VA | <=8.0.1-8.0.1.19 | |
| Apache ActiveMQ | =5.0.0 | |
| Apache ActiveMQ | =5.1.0 | |
| Apache ActiveMQ | =5.2.0 | |
| Apache ActiveMQ | =5.3.0 | |
| Apache ActiveMQ | =5.3.1 | |
| Apache ActiveMQ | =5.3.2 | |
| Apache ActiveMQ | =5.4.0 | |
| Apache ActiveMQ | =5.4.1 | |
| Apache ActiveMQ | =5.4.2 | |
| Apache ActiveMQ | =5.4.3 | |
| Apache ActiveMQ | =5.5.0 | |
| Apache ActiveMQ | =5.5.1 | |
| Apache ActiveMQ | =5.6.0 | |
| Apache ActiveMQ | =5.7.0 | |
| Apache ActiveMQ | =5.8.0 | |
| Apache ActiveMQ | =5.9.0 | |
| Apache ActiveMQ | =5.9.1 | |
| Apache ActiveMQ | =5.10.0 | |
| maven/org.apache.activemq:activemq-jaas | >=5.0.0<5.10.1 | 5.10.1 |
| maven/org.apache.activemq:activemq-broker | >=5.0.0<5.10.1 | 5.10.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://activemq.apache.org/security-advisories.data/CVE-2014-3612-announcement.txt
- http://rhn.redhat.com/errata/RHSA-2015-0137.html
- http://rhn.redhat.com/errata/RHSA-2015-0138.html
- http://seclists.org/oss-sec/2015/q1/427
- http://www.securityfocus.com/bid/72513
- https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2014-3612
- https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2@%3Ccommits.activemq.apache.org%3E
- https://github.com/apache/activemq/commit/22f2f3dde757d31307da772d579815c1d169bc39
- https://issues.apache.org/jira/browse/AMQ-5345
- https://github.com/advisories/GHSA-72m6-23ff-7q26 (Advisory)
- https://exchange.xforce.ibmcloud.com/vulnerabilities/100723
- https://www.ibm.com/support/pages/node/7001693 (Advisory)
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2014-3612.
What is the affected software?
The affected software is Apache ActiveMQ versions 5.0.0 to 5.10.1.
How does the vulnerability allow bypassing security restrictions?
The vulnerability allows remote attackers to bypass authentication by logging in with an empty password and valid username, triggering an unauthenticated bind.
What is the severity of CVE-2014-3612?
The severity of CVE-2014-3612 is high with a CVSS score of 7.5.
Where can I find more information about CVE-2014-3612?
More information about CVE-2014-3612 can be found at the following references: [Reference 1](http://activemq.apache.org/security-advisories.data/CVE-2014-3612-announcement.txt), [Reference 2](http://rhn.redhat.com/errata/RHSA-2015-0137.html), [Reference 3](http://rhn.redhat.com/errata/RHSA-2015-0138.html).
- collector/nvd-index
- collector/github-advisory-latest
- alias/GHSA-72m6-23ff-7q26
- alias/CVE-2014-3612
- collector/nvd-cve
- collector/github-advisory
- agent/author
- agent/type
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- agent/severity
- agent/references
- agent/weakness
- agent/tags
- agent/event
- agent/description
- collector/mitre-cve
- source/MITRE
- vendor/apache
- canonical/apache activemq
- version/apache activemq/5.0.0
- version/apache activemq/5.1.0
- version/apache activemq/5.2.0
- version/apache activemq/5.3.0
- version/apache activemq/5.3.1
- version/apache activemq/5.3.2
- version/apache activemq/5.4.0
- version/apache activemq/5.4.1
- version/apache activemq/5.4.2
- version/apache activemq/5.4.3
- version/apache activemq/5.5.0
- version/apache activemq/5.5.1
- version/apache activemq/5.6.0
- version/apache activemq/5.7.0
- version/apache activemq/5.8.0
- version/apache activemq/5.9.0
- version/apache activemq/5.9.1
- version/apache activemq/5.10.0
- package-manager/maven
- vendor/ibm
- canonical/ibm security directory suite va
- version/ibm security directory suite va/8.0.1-8.0.1.19