Apache ActiveMQ 5.0.0 - 5.10.0 JAAS LDAPLoginModule empty password authentication Vulnerability

🗓️ 28 Aug 2015 00:00:00Reported by Georgi GeshevType

zdt🔗 0day.today👁 66 Views

Apache ActiveMQ LDAPLoginModule Empty Password Vulnerabilit

Reporter	Title	Published	Views	Family All 63
IBM Security Bulletins	Security Bulletin: IBM Tivoli Netcool Impact is affected by multiple vulnerabilities in IBM Tivoli Integrated Portal (TIP)	17 Jun 201815:50	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM Application Performance Management	14 Feb 202408:43	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Spectrum Control is vulnerable to weaknesses related to activemq-web (CVE-2012-6092, CVE-2015-6524, CVE-2016-0734, CVE-2011-4905, CVE-2012-6551, CVE-2013-1879, CVE-2013-1880)	27 Jun 202509:54	–	ibm
IBM Security Bulletins	Security Bulletin: OpenSource Apache ActiveMQ vulnerabilities identified with IBM Tivoli Integrated Portal (TIP) v2.2	17 Jun 201815:50	–	ibm
IBM Security Bulletins	Security Bulletin: Security vulnerabilities have been identified in IBM Tivoli Integrated Portal (TIP) shipped with Tivoli Business Service Manager (CVE-2015-5254, CVE-2014-3600, CVE-2014-3612, CVE-2014-8110, CVE-2014-3579)	17 Jun 201815:50	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM Application Performance Management	2 May 202412:46	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Security Directory Integrator is affected by multiple security vulnerabilities	22 Jun 202316:30	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Spectrum Control is vulnerable to weaknesses related to activemq-core (CVE-2014-3600, CVE-2013-1879, CVE-2015-6524, CVE-2011-4905)	27 Jun 202509:49	–	ibm
IBM Security Bulletins	Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to multiple security vulnerabilities	18 Feb 201914:10	–	ibm
IBM Security Bulletins	Security Bulletin: IBM® Engineering Requirements Management DOORS/DWA vulnerabilities fixed in 9.7.2.7	24 Oct 202411:46	–	ibm

CVE-2014-3612: ActiveMQ JAAS: LDAPLoginModule allows empty password authentication and Wildcard Interpretation

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache ActiveMQ 5.0.0 - 5.10.0

Description:
It was found that if a configured LDAP server supported the unauthenticated authentication
mechanism (as described by RFC 4513), the LDAPLoginModule implementation, provided by ActiveMQ
Java Authentication and Authorization Service (JAAS), would consider an authentication attempt to
be successful for a valid user that provided an empty password. A remote attacker could use this flaw
to bypass the authentication mechanism of an application using LDAPLoginModule, and assume a role
of any valid user within that application. Additionally, when LDAP authentication is enabled, it is
possible for an attacker to supply a wildcard operator instead of a username, which will effectively
allow him to brute force a password for an unknown but valid account as opposed to brute forcing a
combination of username and password. Once a valid password is found, the attacker can successfully
authenticate with LDAP and publish/subscribe to a queue.


Mitigation:
Upgrade to Apache ActiveMQ 5.10.1 or 5.11.0

Credit:
This issue was discovered by Georgi Geshev from MWR Labs and Arun Babu Neelicattu from RedHat.

#  0day.today [2018-01-05]  #

28 Aug 2015 00:00Current

0.1Low risk

Vulners AI Score0.1

EPSS0.01167