CVE-2014-3612

JAAS: LDAPLoginModule allows empty password authentication

Severity Score

7.3

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind. NOTE: this identifier has been SPLIT per ADT2 due to different vulnerability types. See CVE-2015-6524 for the use of wildcard operators in usernames.

La implementación de LDAPLoginModule en el Java Authentication y Authorization Service (JAAS) en Apache ActiveMQ 5.x en versiones anteriores a 5.10.1 permite a atacantes remotos to eludir la autenticación iniciando sesión con una contraseña vacía y nombre de usuario válido, lo que desencadena un enlace no autenticado. NOTA: este identificador ha sido SEPARADO por ADT2 debido a diferentes tipos de vulnerabilidad. Ver CVE-2015-6524 para el uso de operadores comodín en nombres de usuario.

It was found that if a configured LDAP server supported the unauthenticated authentication mechanism (as described by RFC 4513), the LDAPLoginModule implementation, provided by ActiveMQ Java Authentication and Authorization Service (JAAS), would consider an authentication attempt to be successful for a valid user that provided an empty password. A remote attacker could use this flaw to bypass the authentication mechanism of an application using LDAPLoginModule, and assume a role of any valid user within that application.

Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications. This patch is an update to Red Hat JBoss Fuse 6.1.0 and Red Hat JBoss A-MQ 6.1.0. It includes a bug fix, which is documented in the readme.txt file included with the patch files. The following security issues are addressed in this release: It was found that if a configured LDAP server supported the unauthenticated authentication mechanism, the LDAPLoginModule implementation, provided by ActiveMQ Java Authentication and Authorization Service, would consider an authentication attempt to be successful for a valid user that provided an empty password. A remote attacker could use this flaw to bypass the authentication mechanism of an application using LDAPLoginModule, and assume a role of any valid user within that application.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2014-05-14 CVE Reserved
2015-02-05 CVE Published
2024-08-06 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-287: Improper Authentication
CWE-305: Authentication Bypass by Primary Weakness

CAPEC

References (8)

URL	Tag	Source
http://seclists.org/oss-sec/2015/q1/427	Mailing List
http://www.securityfocus.com/bid/72513	Vdb Entry
https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2%40%3Ccommits.activemq.apache.org%3E	Mailing List

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
http://activemq.apache.org/security-advisories.data/CVE-2014-3612-announcement.txt	2023-02-13
http://rhn.redhat.com/errata/RHSA-2015-0137.html	2023-02-13
http://rhn.redhat.com/errata/RHSA-2015-0138.html	2023-02-13
https://access.redhat.com/security/cve/CVE-2014-3612	2015-02-05
https://bugzilla.redhat.com/show_bug.cgi?id=1135912	2015-02-05

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.0.0 Search vendor "Apache" for product "Activemq" and version "5.0.0"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.1.0 Search vendor "Apache" for product "Activemq" and version "5.1.0"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.2.0 Search vendor "Apache" for product "Activemq" and version "5.2.0"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.3.0 Search vendor "Apache" for product "Activemq" and version "5.3.0"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.3.1 Search vendor "Apache" for product "Activemq" and version "5.3.1"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.3.2 Search vendor "Apache" for product "Activemq" and version "5.3.2"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.4.0 Search vendor "Apache" for product "Activemq" and version "5.4.0"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.4.1 Search vendor "Apache" for product "Activemq" and version "5.4.1"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.4.2 Search vendor "Apache" for product "Activemq" and version "5.4.2"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.4.3 Search vendor "Apache" for product "Activemq" and version "5.4.3"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.5.0 Search vendor "Apache" for product "Activemq" and version "5.5.0"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.5.1 Search vendor "Apache" for product "Activemq" and version "5.5.1"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.6.0 Search vendor "Apache" for product "Activemq" and version "5.6.0"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.7.0 Search vendor "Apache" for product "Activemq" and version "5.7.0"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.8.0 Search vendor "Apache" for product "Activemq" and version "5.8.0"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.9.0 Search vendor "Apache" for product "Activemq" and version "5.9.0"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.9.1 Search vendor "Apache" for product "Activemq" and version "5.9.1"		-		Affected
Apache Search vendor "Apache"		Activemq Search vendor "Apache" for product "Activemq"				5.10.0 Search vendor "Apache" for product "Activemq" and version "5.10.0"		-		Affected