CVE-2014-3612

Name of the Vulnerable Software and Affected Versions Apache ActiveMQ versions 5.x through 5.10.0

Description The issue is related to the implementation of LDAPLoginModule and components of the Java Authentication and Authorization Service in Apache ActiveMQ, which has weaknesses in its authentication procedure. This can be exploited by a remote attacker to bypass authentication by entering an empty password and a valid username, triggering an unauthenticated bind.

Recommendations For Apache ActiveMQ versions 5.x through 5.10.0, update to version 5.10.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the LDAPLoginModule implementation until a patch is available. Avoid using empty passwords for authentication in the affected API endpoints until the issue is resolved.