Candidate: CVE-2014-3612
PublicDate: 2015-08-24 14:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3612
 http://activemq.apache.org/security-advisories.data/CVE-2014-3612-announcement.txt
 http://seclists.org/oss-sec/2015/q1/427
 http://rhn.redhat.com/errata/RHSA-2015-0137.html
 http://rhn.redhat.com/errata/RHSA-2015-0138.html
Description:
 The LDAPLoginModule implementation in the Java Authentication and
 Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows
 remote attackers to bypass authentication by logging in with an empty
 password and valid username, which triggers an unauthenticated bind. NOTE:
 this identifier has been SPLIT per ADT2 due to different vulnerability
 types. See CVE-2015-6524 for the use of wildcard operators in usernames.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777196
Priority: medium
Discovered-by:
Assigned-to:
CVSS: 

Patches_activemq:
upstream_activemq: released (5.6.0+dfsg1-4)
precise_activemq: ignored (reached end-of-life)
precise/esm_activemq: DNE (precise was needed)
trusty_activemq: released (5.6.0+dfsg-1+deb7u1build0.14.04.1)
trusty/esm_activemq: DNE (trusty was released [5.6.0+dfsg-1+deb7u1build0.14.04.1])
vivid/stable-phone-overlay_activemq: DNE
vivid/ubuntu-core_activemq: DNE
wily_activemq: not-affected (5.6.0+dfsg1-4+deb8u1ubuntu1)
xenial_activemq: not-affected
yakkety_activemq: not-affected
zesty_activemq: not-affected
devel_activemq: not-affected