It was found that if a configured LDAP server supported the unauthenticated authentication mechanism (as described by RFC 4513), the LDAPLoginModule implementation, provided by ActiveMQ Java Authentication and Authorization Service (JAAS), would consider an authentication attempt to be successful for a valid user that provided an empty password. A remote attacker could use this flaw to bypass the authentication mechanism of an application using LDAPLoginModule, and assume a role of any valid user within that application.
Find out more about CVE-2014-3612 from the MITRE CVE dictionary dictionary and NIST NVD.
| Base Score | 7.5 |
|---|---|
| Base Metrics | AV:N/AC:L/Au:N/C:P/I:P/A:P |
| Access Vector | Network |
| Access Complexity | Low |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | Partial |
| Availability Impact | Partial |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
| Platform | Errata | Release Date |
|---|---|---|
| Fuse Management Console 7.1.0 | RHSA-2015:0138 | 2015-02-05 |
| Fuse MQ Enterprise 7.1.0 | RHSA-2015:0138 | 2015-02-05 |
| Fuse ESB Enterprise 7.1.0 | RHSA-2015:0138 | 2015-02-05 |
| Platform | Package | State |
|---|---|---|
| Red Hat OpenShift Enterprise 2 | activemq | Will not fix |
| Red Hat OpenShift Enterprise 1 | activemq | Will not fix |
Vulmon