CVE-2014-3612
It was found that if a configured LDAP server supported the unauthenticated authentication mechanism (as described by RFC 4513), the LDAPLoginModule implementation, provided by ActiveMQ Java Authentication and Authorization Service (JAAS), would consider an authentication attempt to be successful for a valid user that provided an empty password. A remote attacker could use this flaw to bypass the authentication mechanism of an application using LDAPLoginModule, and assume a role of any valid user within that application.
Find out more about CVE-2014-3612 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS v2 metrics
| Base Score | 7.5 |
|---|---|
| Base Metrics | AV:N/AC:L/Au:N/C:P/I:P/A:P |
| Access Vector | Network |
| Access Complexity | Low |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | Partial |
| Availability Impact | Partial |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Fuse Management Console 7.1.0 | RHSA-2015:0138 | 2015-02-05 |
| Red Hat JBoss Fuse 6.1 | RHSA-2015:0137 | 2015-02-05 |
| Fuse MQ Enterprise 7.1.0 | RHSA-2015:0138 | 2015-02-05 |
| Red Hat JBoss A-MQ 6.1 | RHSA-2015:0137 | 2015-02-05 |
| Fuse ESB Enterprise 7.1.0 | RHSA-2015:0138 | 2015-02-05 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat OpenShift Enterprise 2 | activemq | Will not fix |
| Red Hat OpenShift Enterprise 1 | activemq | Will not fix |