CVE-2014-3576

CWE-264 CWE-78 — OS Command Injection7 documents6 sources

Severity

7.5HIGH

EPSS

38.2%

top 2.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Activemq Oracle Business Intelligence Publisher Oracle Fusion Middleware

Timeline

PublishedAug 14

Latest updateMay 14

Description

The processControlCommand function in broker/TransportConnection.java in Apache ActiveMQ before 5.11.0 allows remote attackers to cause a denial of service (shutdown) via a shutdown command.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶Mavenorg.apache.activemq:activemq-client< 5.11.0

▶NVDapache/activemq5.10.0

▶Debianactivemq< 5.6.0+dfsg1-4+deb8u1+2

▶NVDoracle/fusion_middleware4 versions+3

▶NVDoracle/business_intelligence_publisher12.2.1.0.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Improper Neutralization of Special Elements used in an OS Command in Apache ActiveMQ↗2022-05-14

▶

OSV

Improper Neutralization of Special Elements used in an OS Command in Apache ActiveMQ↗2022-05-14

▶

CVEList

CVE-2014-3576: The processControlCommand function in broker/TransportConnection↗2015-08-14

▶

OSV

CVE-2014-3576: The processControlCommand function in broker/TransportConnection↗2015-08-14

▶

📋Vendor Advisories

Debian

CVE-2014-3576: activemq - The processControlCommand function in broker/TransportConnection.java in Apache ...↗2014

▶

💬Community

Bugzilla

CVE-2014-3576 ActiveMQ: DoS via unauthenticated remote shutdown command↗2015-03-03

▶