It was discovered [1] that Apache Shiro authenticated users without specifying a user name or a password when used in conjunction with an LDAP back end that allowed unauthenticated binds. This issue has been fixed upstream in version 1.2.3 of Apache Shiro. [1] https://issues.apache.org/jira/browse/SHIRO-460 [2] http://seclists.org/fulldisclosure/2014/Mar/22
Upstream patch commit: http://svn.apache.org/viewvc?view=revision&revision=1572813
IssueDescription: It was discovered that Apache Shiro authenticated users without specifying a user name or a password when used in conjunction with an LDAP back end that allowed unauthenticated binds.
This issue has been addressed in the following products: Red Hat JBoss Fuse/A-MQ 6.1.0 Via RHSA-2014:1351 https://rhn.redhat.com/errata/RHSA-2014-1351.html
This issue has been addressed in the following products: Fuse ESB Enterprise 7.1.0 Fuse MQ Enterprise 7.1.0 Via RHSA-2014:1369 https://rhn.redhat.com/errata/RHSA-2014-1369.html