ActiveMQ: LDAP-Authentication does not verify passwords on servers with anonymous bind (CVE-2021-26117) PRODUCT AFFECTED: This issue affects Apache ActiveMQ Apache ActiveMQ, Apache ActiveMQ Artemis. PROBLEM: The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache ActiveMQ Artemis prior to version 2.16.0 and Apache ActiveMQ prior to versions 5.16.1 and 5.15.14, the anonymous context is used to verify a valid users password in error, resulting in no check on the password. This issue has been assigned CVE-2021-26117. This issue is being tracked as https://issues.apache.org/jira/browse/ARTEMIS-2895 and https://issues.apache.org/jira/browse/AMQ-8035. MITIGATION: Don't use anonymous binds in the LDAP configuration or upgrade to Apache ActiveMQ Artemis 2.16.0 or Apache ActiveMQ 5.16.1 or Apache ActiveMQ 5.15.14 MODIFICATION HISTORY: : Initial Publication. RELATED LINKS: CVE-2021-26117 at cve.mitre.org ACKNOWLEDGEMENTS: Apache ActiveMQ would like to thank Gregor Tudan for reporting this issue.