Vulnerability Name: CVE-2014-3600 (CCN-100722) Assigned: 2014-05-14 Published: 2015-02-05 Updated: 2019-03-27 Summary: XML external entity (XXE) vulnerability in Apache ActiveMQ 5.x before 5.10.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages. CVSS v3 Severity: 9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H )8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C )Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N )4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C )Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): LowIntegrity (I): NoneAvailibility (A): None
CVSS v2 Severity: 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P )5.5 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C )Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): PartialAvailibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N )3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C )Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): NoneAvailibility (A): None
Vulnerability Type: CWE-611 Vulnerability Consequences: Obtain Information References: Source: CCN Type: Apache Web siteCVE-2014-3600: Apache ActiveMQ XXE with XPath selectors Source: CONFIRM Type: Vendor Advisoryhttp://activemq.apache.org/security-advisories.data/CVE-2014-3600-announcement.txt Source: MITRE Type: CNACVE-2014-3600 Source: CCN Type: oss-security Mailing List, Thu, 5 Feb 2015 15:32:00 +0100[ANNOUNCE] CVE-2014-3600, CVE-2014-3612 and CVE-2014-8110 - Apache ActiveMQ vulnerabilities Source: MLIST Type: Mailing List, Third Party Advisory[oss-security] 20150205 [ANNOUNCE] CVE-2014-3600, CVE-2014-3612 and CVE-2014-8110 - Apache ActiveMQ vulnerabilities Source: CCN Type: IBM Security Bulletin 1700521Vulnerability in Apache ActiveMQ library affects IBM Sterling Secure Proxy (CVE-2014-3600, CVE-2014-8110) Source: CCN Type: IBM Security Bulletin 1903654Multiple vulnerabilities in Apache ActiveMQ affect IBM Tivoli System Automation Application Manager (CVE-2014-3600, CVE-2014-3612, CVE-2014-8110) Source: CCN Type: IBM Security Bulletin 1960332Multiple vulnerabilities in Apache ActiveMQ affect IBM Control Center (CVE-2014-3600, CVE-2014-3612, CVE-2014-8110, CVE-2014-3579) Source: CCN Type: IBM Security Bulletin 1960826Vulnerabilities in Open Source Apache ActiveMQ affect IBM Marketing Platform (CVE-2014-3600, CVE-2014-3612, CVE-2014-8110, CVE-2014-3579) Source: CCN Type: IBM Security Bulletin 1962980Jazz for Service Management is affected by Open Source Apache ActiveMQ vulnerability - Reported in 02/05/2015 X-Force Report Source: CCN Type: IBM Security Bulletin 2014179 (Tivoli Components)OpenSource Apache ActiveMQ vulnerabilities identified with IBM Tivoli Integrated Portal (TIP) v2.2 Source: CCN Type: IBM Security Bulletin 2014253 (Tivoli Netcool/Impact)IBM Tivoli Netcool Impact is affected by multiple vulnerabilities in IBM Tivoli Integrated Portal (TIP) Source: BID Type: Third Party Advisory, VDB Entry72510 Source: CCN Type: BID-72510Apache ActiveMQ CVE-2014-3600 XML External Entity Injection Vulnerability Source: XF Type: Third Party Advisory, VDB Entryapache-activemq-cve20143600-info-disc(100722) Source: XF Type: UNKNOWNapache-activemq-cve20143600-info-disc(100722) Source: CONFIRM Type: Issue Tracking, Third Party Advisoryhttps://issues.apache.org/jira/browse/AMQ-5333 Source: MLIST Type: UNKNOWN[activemq-commits] 20190327 svn commit: r1042639 - in /websites/production/activemq/content/activemq-website: ./ projects/artemis/download/ projects/classic/download/ projects/cms/download/ security-advisories.data/ Source: CCN Type: IBM Security Bulletin 0728833 (Sterling B2B Integrator)Multiple Security Vulnerabilities in ActiveMQ Affect IBM Sterling B2B Integrator Source: CCN Type: IBM Security Bulletin 0872142 (Security Identity Governance and Intelligence)IBM has announced a release for IBM Security Identity Governance and Intelligence in response to multiple security vulnerabilities Source: CCN Type: IBM Security Bulletin 6955033 (Security Directory Integrator)IBM Security Directory Integrator is affected by multiple security vulnerabilities Source: CCN Type: IBM Security Bulletin 6984347 (Engineering Requirements Management DOORS)IBM Engineering Requirements Management DOORS/DWA vulnerabilities fixes for 9.7.2.6 Source: CCN Type: IBM Security Bulletin 7001693 (Security Directory Suite VA)IBM Security Directory Suite is vulnerable to multiple issues Source: CCN Type: WhiteSource Vulnerability DatabaseCVE-2014-3600 Vulnerable Configuration: Configuration 1 :cpe:/a:apache:activemq:5.0.0:*:*:*:*:*:*:* OR cpe:/a:apache:activemq:5.1.0:*:*:*:*:*:*:* OR cpe:/a:apache:activemq:5.2.0:*:*:*:*:*:*:* OR cpe:/a:apache:activemq:5.3.0:*:*:*:*:*:*:* OR cpe:/a:apache:activemq:5.3.1:*:*:*:*:*:*:* OR cpe:/a:apache:activemq:5.3.2:*:*:*:*:*:*:* OR cpe:/a:apache:activemq:5.4.0:*:*:*:*:*:*:* OR cpe:/a:apache:activemq:5.4.1:*:*:*:*:*:*:* OR cpe:/a:apache:activemq:5.4.2:*:*:*:*:*:*:* OR cpe:/a:apache:activemq:5.4.3:*:*:*:*:*:*:* OR cpe:/a:apache:activemq:5.5.0:*:*:*:*:*:*:* OR cpe:/a:apache:activemq:5.5.1:*:*:*:*:*:*:* OR cpe:/a:apache:activemq:5.6.0:*:*:*:*:*:*:* OR cpe:/a:apache:activemq:5.7.0:*:*:*:*:*:*:* OR cpe:/a:apache:activemq:5.8.0:*:*:*:*:*:*:* OR cpe:/a:apache:activemq:5.9.0:*:*:*:*:*:*:* OR cpe:/a:apache:activemq:5.9.1:*:*:*:*:*:*:* OR cpe:/a:apache:activemq:5.10.0:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:apache:activemq:5.10.0:*:*:*:*:*:*:* AND cpe:/a:ibm:tivoli_system_automation_application_manager:3.2.2:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_netcool/impact:6.1.1:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:-:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_system_automation_application_manager:4.1:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_netcool/impact:6.1:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_netcool/impact:7.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_secure_proxy:3.4.2:*:*:*:*:*:*:* OR cpe:/a:ibm:control_center:5.3:*:*:*:*:*:*:* OR cpe:/a:ibm:control_center:5.4:*:*:*:*:*:*:* OR cpe:/a:ibm:control_center:5.4.1:*:*:*:*:*:*:* OR cpe:/a:ibm:control_center:5.4.2.1:*:*:*:*:*:*:* OR cpe:/a:ibm:control_center:6.0:*:*:*:*:*:*:* OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2:*:*:*:*:*:*:* OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.1:*:*:*:*:*:*:* OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.2:*:*:*:*:*:*:* OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.2.1:*:*:*:*:*:*:* OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.3:*:*:*:*:*:*:* OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.3.1:*:*:*:*:*:*:* OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.3.2:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:5.2.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:5.2.6.3:*:*:*:*:*:*:* OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.4:*:*:*:*:*:*:* OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.4.1:*:*:*:*:*:*:* Denotes that component is vulnerable Oval Definitions BACK
apache activemq 5.0.0
apache activemq 5.1.0
apache activemq 5.2.0
apache activemq 5.3.0
apache activemq 5.3.1
apache activemq 5.3.2
apache activemq 5.4.0
apache activemq 5.4.1
apache activemq 5.4.2
apache activemq 5.4.3
apache activemq 5.5.0
apache activemq 5.5.1
apache activemq 5.6.0
apache activemq 5.7.0
apache activemq 5.8.0
apache activemq 5.9.0
apache activemq 5.9.1
apache activemq 5.10.0
apache activemq 5.10.0
ibm tivoli system automation application manager 3.2.2
ibm tivoli netcool/impact 6.1.1
ibm sterling b2b integrator -
ibm tivoli system automation application manager 4.1
ibm tivoli netcool/impact 6.1
ibm tivoli netcool/impact 7.1.0
ibm sterling secure proxy 3.4.2
ibm control center 5.3
ibm control center 5.4
ibm control center 5.4.1
ibm control center 5.4.2.1
ibm control center 6.0
ibm security identity governance and intelligence 5.2
ibm security identity governance and intelligence 5.2.1
ibm security identity governance and intelligence 5.2.2
ibm security identity governance and intelligence 5.2.2.1
ibm security identity governance and intelligence 5.2.3
ibm security identity governance and intelligence 5.2.3.1
ibm security identity governance and intelligence 5.2.3.2
ibm sterling b2b integrator 5.2.0.1
ibm sterling b2b integrator 5.2.6.3
ibm security identity governance and intelligence 5.2.4
ibm security identity governance and intelligence 5.2.4.1