Bug 1135912 (CVE-2014-3612) - CVE-2014-3612 ActiveMQ JAAS: LDAPLoginModule allows empty password authentication
Summary: CVE-2014-3612 ActiveMQ JAAS: LDAPLoginModule allows empty password authentica...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-3612
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1165359
Blocks: 1135914 1183155
TreeView+ depends on / blocked
 
Reported: 2014-09-01 07:34 UTC by Arun Babu Neelicattu
Modified: 2023-05-12 18:06 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that if a configured LDAP server supported the unauthenticated authentication mechanism (as described by RFC 4513), the LDAPLoginModule implementation, provided by ActiveMQ Java Authentication and Authorization Service (JAAS), would consider an authentication attempt to be successful for a valid user that provided an empty password. A remote attacker could use this flaw to bypass the authentication mechanism of an application using LDAPLoginModule, and assume a role of any valid user within that application.
Clone Of:
Environment:
Last Closed: 2016-07-12 23:04:27 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0137 0 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse/A-MQ 6.1.0 security and bug fix update 2015-02-06 02:30:51 UTC
Red Hat Product Errata RHSA-2015:0138 0 normal SHIPPED_LIVE Important: Fuse ESB Enterprise/Fuse MQ Enterprise 7.1.0 security update 2015-02-06 02:05:31 UTC

Description Arun Babu Neelicattu 2014-09-01 07:34:36 UTC 
IssueDescription:

It was found that if a configured LDAP server supported the unauthenticated authentication mechanism (as described by RFC 4513), the LDAPLoginModule implementation, provided by ActiveMQ Java Authentication and Authorization Service (JAAS), would consider an authentication attempt to be successful for a valid user that provided an empty password. A remote attacker could use this flaw to bypass the authentication mechanism of an application using LDAPLoginModule, and assume a role of any valid user within that application.
Comment 3 Arun Babu Neelicattu 2015-02-05 01:23:35 UTC 
Acknowledgements:

Red Hat would like to thank Georgi Geshev of MWR Labs for reporting this issue.
Comment 4 errata-xmlrpc 2015-02-05 21:05:46 UTC 
This issue has been addressed in the following products:

  Fuse ESB Enterprise 7.1.0
  Fuse MQ Enterprise 7.1.0

Via RHSA-2015:0138 https://rhn.redhat.com/errata/RHSA-2015-0138.html
Comment 5 errata-xmlrpc 2015-02-05 21:31:24 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse 6.1.0
  Red Hat JBoss A-MQ 6.1.0

Via RHSA-2015:0137 https://rhn.redhat.com/errata/RHSA-2015-0137.html
Comment 7 Chess Hazlett 2016-07-12 23:04:27 UTC 
Closing flaw bug, leaving tracker for Kurt.
Note You need to log in before you can comment on or make changes to this bug.