The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind. NOTE: this identifier has been SPLIT per ADT2 due to different vulnerability types. See CVE-2015-6524 for the use of wildcard operators in usernames.

Versions 5.x of Apache ActiveMQ prior to 5.10.1 are affected by the following vulnerabilities :

 - An unauthenticated, remote attacker can crash the broker listener by sending a packet to the same port that a message consumer or product connects to, resulting in a denial of service condition. (CVE-2014-3576)
 - An XXE (Xml eXternal Entity) injection flaw related to XPath selectors exists that is triggered during the parsing of XML data. The issue is due to an incorrectly configured XML parser accepting XML external entities from an untrusted source. By sending specially crafted XML data, a remote attacker can disclose the contents of arbitrary files. (CVE-2014-3600)
 - Two flaws exists that allow a reflected cross-site scripting (XSS) attack. The first flaw exists because the 'connection.jsp' script does not validate input to the 'connectionID' parameter before returning it to users. The second flaw exists because the 'browse.jsp' script does not validate input to the 'JMSDestination' GET parameter before returning it to users. Either of these vulnerabiltiies may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.  (CVE-2014-8110)
 - A flaw exists that allows a stored cross-site scripting (XSS) attack. This flaw exists because the 'createDestination.action' script does not validate input to the 'JMSDestination' parameter before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (CVE-2010-0684)
 - A flaw exists in LDAPLoginModule in Java Authentication and Authorization Service (JAAS) that is triggered when handling an authentication attempt that contains an invalid password. This authentication attempt will be considered successful, which can allow a remote attacker to bypass authentication mechanisms. This flaw is also triggered during the handling of an authentication attempt that contains a wildcard operator in place of a username. This may allow a remote attacker to bypass authentication mechanisms (CVE-2014-3612) and can allow remote attackers to obtain credentials via a brute force attack. (CVE-2015-6524)

According to its self-reported version number, the Puppet Enterprise application running on the remote host is 3.x prior to 3.8.1. It is, therefore, affected by the following vulnerabilities :

  - An XML external entity injection (XXE) flaw exists in     the Apache ActiveMQ component due to a faulty     configuration that allows an XML parser to accept XML     external entities from untrusted sources. A remote     attacker, by sending crafted XML data, can exploit this     to disclose arbitrary files. (CVE-2014-3600)

  - An authentication bypass vulnerability exists in the     Apache ActiveMQ component due to a flaw in the     LDAPLoginModule implementation. A remote attacker can     exploit this to bypass authentication mechanisms.
    (CVE-2014-3612)

  - Multiple cross-site scripting vulnerabilities exist in     the administrative console of Apache ActiveMQ that allow     a remote attacker to inject arbitrary HTML or web     scripts. (CVE-2014-8110)

  - An invalid free memory error exists due to improper     validation of user-supplied input when a DTLS peer     receives application data between ChangeCipherSpec and     Finished messages. A remote attacker can exploit this to     corrupt memory, resulting in a denial of service or     the execution of arbitrary code. (CVE-2014-8176)

  - A denial of service vulnerability exists when processing     an ECParameters structure due to an infinite loop that     occurs when a specified curve is over a malformed binary     polynomial field. A remote attacker can exploit this to     perform a denial of service against any system that     processes public keys, certificate requests, or     certificates. This includes TLS clients and TLS servers     with client authentication enabled. (CVE-2015-1788)

  - A denial of service vulnerability exists due to improper     validation of the content and length of the ASN1_TIME     string by the X509_cmp_time() function. A remote     attacker can exploit this, via a malformed certificate     and CRLs of various sizes, to cause a segmentation     fault, resulting in a denial of service condition. TLS     clients that verify CRLs are affected. TLS clients and     servers with client authentication enabled may be     affected if they use custom verification callbacks.
    (CVE-2015-1789)

  - A NULL pointer dereference flaw exists in the PKCS#7     parsing code due to incorrect handling of missing inner     'EncryptedContent'. This allows a remote attacker, via     specially crafted ASN.1-encoded PKCS#7 blobs with     missing content, to cause a denial of service condition     or other potential unspecified impacts. (CVE-2015-1790)

  - A double-free error exists due to a race condition that     occurs when a NewSessionTicket is received by a     multi-threaded client when attempting to reuse a     previous ticket. (CVE-2015-1791)

  - A denial of service vulnerability exists in the CMS code     due to an infinite loop that occurs when verifying a     signedData message. A remote attacker can exploit this     to cause a denial of service condition. (CVE-2015-1792)

  - A double-free memory flaw exists in PostgreSQL due to     a timeout interrupt occurring partway in the session     shutdown sequence. A remote attacker, by closing     an SSL session when the authentication timeout expires,     can exploit this flaw to cause a denial of service.
    (CVE-2015-3165)

  - An out-of-memory condition exists in the printf()     functions in PostgreSQL due to a failure to check for     errors. A remote attacker can exploit this to access     sensitive information. (CVE-2015-3166)

  - A flaw exists in contrib/pgcrypto in PostgreSQL due     to cases of decryption reporting other error message     texts, which a remote attacker can use to recover     keys from other systems. (CVE-2015-3167)

  - A man-in-the-middle vulnerability, known as Logjam,     exists due to a flaw in the SSL/TLS protocol. A remote     attacker can exploit this flaw to downgrade connections     using ephemeral Diffie-Hellman key exchange to 512-bit     export-grade cryptography. (CVE-2015-4000)

The version of Apache ActiveMQ running on the remote host is 5.x prior to 5.10.1 / 5.11.0. It is, therefore, potentially affected by multiple vulnerabilities :

  - An unauthenticated, remote attacker can crash the broker     listener by sending a packet to the same port that a     message consumer or product connects to, resulting in a     denial of service condition. (CVE-2014-3576)

  - An XML external entity (XXE) injection vulnerability     exists that is related to XPath selectors. A remote     attacker can exploit this, via specially crafted XML     data, to disclose the contents of arbitrary files.
    (CVE-2014-3600)

  - A flaw exists in the LDAPLoginModule of the Java     Authentication and Authorization Service (JAAS) which     can be triggered by the use of wildcard operators     instead of a username or by invalid passwords. A remote     attacker can exploit this to bypass authentication.
    (CVE-2014-3612)

  - Multiple cross-site scripting (XSS) vulnerabilities     exist in the web administrative console. (CVE-2014-8110)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
8961	Apache ActiveMQ 5.x < 5.10.1 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	critical
84960	Puppet Enterprise 3.x < 3.8.1 Multiple Vulnerabilities (Logjam)	Nessus	CGI abuses	critical
81374	Apache ActiveMQ 5.x < 5.10.1 / 5.11.0 Multiple Vulnerabilities	Nessus	CGI abuses	high

Detections

Analytics

CVE-2014-3612

high

Tenable Plugins

critical

critical

high