CVE-2014-3576

Current Description

The processControlCommand function in broker/TransportConnection.java in Apache ActiveMQ before 5.11.0 allows remote attackers to cause a denial of service (shutdown) via a shutdown command.

Basic Data

PublishedAugust 14, 2015
Last ModifiedMarch 27, 2019
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-264
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityLOW
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactNONE
CVSS 2 - Availability ImpactPARTIAL
CVSS 2 - Base Score5.0
SeverityMEDIUM
Exploitability Score10.0
Impact Score2.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

CVSS 3 - Version3.0
CVSS 3 - Vector StringCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 3 - Attack VectorNETWORK
CVSS 3 - Attack ComplexityLOW
CVSS 3 - Privileges RequiredNONE
CVSS 3 - User InteractionNONE
CVSS 3 - ScopeUNCHANGED
CVSS 3 - Confidentiality ImpactNONE
CVSS 3 - Integrity ImpactNONE
CVSS 3 - Availability ImpactHIGH
CVSS 3 - Base Score7.5
CVSS 3 - Base SeverityHIGH
Exploitability Score3.9
Base SeverityHIGH

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationApacheActivemq********5.10.0
  • OR - Configuration 2
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationOracleBusiness Intelligence Publisher12.2.1.0.0*******
  • OR - Configuration 3
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationOracleFusion Middleware8.1*******
    2.3ApplicationOracleFusion Middleware9.0*******
    2.3ApplicationOracleFusion Middleware11.1.1.7.4*******
    2.3ApplicationOracleFusion Middleware12.1.3.0.0*******

Vulnerable Software List

VendorProductVersions
Apache Activemq *
Oracle Business Intelligence Publisher 12.2.1.0.0
Oracle Fusion Middleware 11.1.1.7.4, 12.1.3.0.0, 8.1, 9.0

References

NameSourceURLTags
[dev] 20150721 About CVE-2014-3576http://activemq.2283324.n4.nabble.com/About-CVE-2014-3576-tp4699628.htmlMLIST
http://packetstormsecurity.com/files/134274/Apache-ActiveMQ-5.10.1-Denial-Of-Service.htmlhttp://packetstormsecurity.com/files/134274/Apache-ActiveMQ-5.10.1-Denial-Of-Service.htmlMISC
DSA-3330http://www.debian.org/security/2015/dsa-3330DEBIAN
http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.htmlCONFIRM
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.htmlhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.htmlCONFIRM
20151106 [ANNOUNCE] CVE-2014-3576 - Apache ActiveMQ vulnerabilitieshttp://www.securityfocus.com/archive/1/536862/100/0/threadedBUGTRAQ
76272http://www.securityfocus.com/bid/76272BID
1033898http://www.securitytracker.com/id/1033898SECTRACK
https://github.com/apache/activemq/commit/00921f2https://github.com/apache/activemq/commit/00921f2CONFIRMPATCH
[activemq-commits] 20190327 svn commit: r1042639 - in /websites/production/activemq/content/activemq-website: ./ projects/artemis/download/ projects/classic/download/ projects/cms/download/ security-advisories.data/https://lists.apache.org/thread.html/a859563f05fbe7c31916b3178c2697165bd9bbf5a65d1cf62aef27d2@%3CcomMLIST