CVE-2014-3576
ActiveMQ: DoS via unauthenticated remote shutdown command
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The processControlCommand function in broker/TransportConnection.java in Apache ActiveMQ before 5.11.0 allows remote attackers to cause a denial of service (shutdown) via a shutdown command.
Vulnerabilidad en la función processControlCommand en broker/TransportConnection.java en Apache ActiveMQ en versiones anteriores a 5.11.0, permite a atacantes remotos causar una denegación de servicio (apagado) a través de un comando de apagado.
It was found that the Apache ActiveMQ broker exposed a remote shutdown command without requiring any authentication to use it. A remote, unauthenticated attacker could use this flaw to shut down ActiveMQ broker's listener.
It is possible to shutdown an ActiveMQ broker remotely without authentication. The offending network packet is sent to the same port as a message consumer or producer would connect to. If the port is exposed, the attack will be possible. Apache ActiveMQ versions 5.0.0 through 5.10.1 are affected.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2014-05-14 CVE Reserved
- 2015-08-11 CVE Published
- 2024-08-06 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-264: Permissions, Privileges, and Access Controls
- CWE-306: Missing Authentication for Critical Function
CAPEC
References (12)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/apache/activemq/commit/00921f2 | 2023-11-07 |
| URL | Date | SRC |
|---|---|---|
| http://www.debian.org/security/2015/dsa-3330 | 2023-11-07 | |
| https://access.redhat.com/security/cve/CVE-2014-3576 | 2015-02-05 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1198306 | 2015-02-05 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Search vendor "Apache" | Activemq Search vendor "Apache" for product "Activemq" | <= 5.10.0 Search vendor "Apache" for product "Activemq" and version " <= 5.10.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Business Intelligence Publisher Search vendor "Oracle" for product "Business Intelligence Publisher" | 12.2.1.0.0 Search vendor "Oracle" for product "Business Intelligence Publisher" and version "12.2.1.0.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Fusion Middleware Search vendor "Oracle" for product "Fusion Middleware" | 8.1 Search vendor "Oracle" for product "Fusion Middleware" and version "8.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Fusion Middleware Search vendor "Oracle" for product "Fusion Middleware" | 9.0 Search vendor "Oracle" for product "Fusion Middleware" and version "9.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Fusion Middleware Search vendor "Oracle" for product "Fusion Middleware" | 11.1.1.7.4 Search vendor "Oracle" for product "Fusion Middleware" and version "11.1.1.7.4" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Fusion Middleware Search vendor "Oracle" for product "Fusion Middleware" | 12.1.3.0.0 Search vendor "Oracle" for product "Fusion Middleware" and version "12.1.3.0.0" | - |
Affected
| ||||||