Main Vulnerability Database SB2021012801

SB2021012801 - Authentication bypass in Apache ActiveMQ and ActiveMQ Artemis

Published: January 28, 2021

Security Bulletin ID SB2021012801

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper Authentication (CVE-ID: CVE-2021-26117)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to a logic error in ActiveMQ LDAP login module when configured to to use anonymous access to the LDAP server. A remote attacker can provide a valid username and no password and gain unauthorized access to the system.

Remediation

Install update from vendor's website.

References

https://mail-archives.apache.org/mod_mbox/activemq-users/202101.mbox/%3cCAH+vQmMeUEiKN4wYX9nLBbqmFZFPXqajNvBKmzb2V8QZANcSTA@mail.gmail.com%3e
https://issues.apache.org/jira/browse/AMQ-8035
https://issues.apache.org/jira/browse/ARTEMIS-2895