A flaw was found in Red Hat AMQ 6 and ActiveMQ Artemis (Red Hat AMQ 7) with the LDAP login module, if anonymous binds are enabled on the LDAP provider (zero length DN/password) and the LDAP module is configured to make use of these, client credentials are not correctly verified and authentication is effectively bypassed. Upstream Issue: https://issues.apache.org/jira/browse/ARTEMIS-2895
Public: https://www.openwall.com/lists/oss-security/2021/01/27/6
Mitigation: There is currently no known mitigation for this issue.
This issue has been addressed in the following products: Red Hat Fuse/AMQ 6.3.18 Via RHSA-2021:0384 https://access.redhat.com/errata/RHSA-2021:0384
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-26117