Security Advisory
ForgeRock Identity Platform
Does not apply to Identity Cloud

AM/OpenAM Security Advisory #201801

Last updated Feb 24, 2021

Security vulnerabilities have been discovered in AM/OpenAM components. These issues may be present in AM 5.0, AM 5.1.x and OpenAM 12.0.x, 13.0.0 and 13.5.0. The OpenAM Community Edition 11.0.3 may also affected.


5 readers recommend this article

January 17, 2018

Security vulnerabilities have been discovered in AM/OpenAM components. These issues may be present in AM 5.0, AM 5.1.x  and OpenAM 12.0.x, 13.0.0 and 13.5.0. The OpenAM Community Edition 11.0.3 may also affected.

This advisory provides guidance on how to ensure your deployments can be secured. Workarounds or patches are available for all of the issues.

The maximum severity of issues in this advisory is Critical. Deployers should take steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation is to deploy the relevant patches. Patch bundles are available for the following versions (in accordance with ForgeRock’s Maintenance and Patch availability policy):

  • 12.0.4
  • 13.5.0
  • AM 5.0.0
  • AM 5.1.0
  • AM 5.1.1

Customers can obtain these patch bundles from BackStage.

Issue #201801-01: Business Logic Vulnerability

Product OpenAM
Affected versions 12.0.0-12.0.4, 13.0.0, 13.5.0
Fixed versions 13.5.1
Component Core Server, Server Only
Severity Critical

Description:

A specific type of request will allow access to another resource owners access token.

Workaround:

Do not use the JWT bearer token grant type.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201801-02: Configuration password stored in plain text

Product OpenAM
Affected versions 12.0.0-12.0.4, 13.0.0, 13.5.0
Fixed versions 13.5.1
Component Core Server, Server Only
Severity High

Description:

Export of server settings display certain configuration passwords in clear text.

Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201801-03: Cross Site Scripting

Product AM, OpenAM
Affected versions AM 5.0.0, 5.1.0, 5.1.1 (see pages listed below); OpenAM 13.0.0, 13.5.0
Fixed versions AM 5.0.0, 5.5.1; OpenAM 13.5.1
Component Core Server, Server Only
Severity High

Description:

AM/OpenAM is vulnerable to cross-site scripting (XSS) attacks, which could lead to session hijacking or phishing.

Affecting AM/OpenAM configuration pages:

  • /task/ConfigureOAuth2 - Patch for AM 5.0.0, AM 5.1.0, OpenAM 13.5.0
  • json/global-config/servers?_action=create - Patch for AM 5.0.0, AM 5.1.0, OpenAM 13.5.0
  • realm-config/authentication/modules/ - Patch for OpenAM 13.5.0
  • Authorization-policysets - Patch for OpenAM 13.5.0
  • 400 error pages - affects IE only - Patch for AM 5.0.0, AM 5.1.0, AM 5.1.1, OpenAM 13.5.0

Workaround:

Protect the listed endpoints with the container (for example using the mod_security Apache module) or filter external requests until a patch is deployed.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201801-04: Open Redirect

Product OpenAM
Affected versions 12.0.0-12.0.4, 13.0.0, 13.5.0
Fixed versions AM 5.0.0, OpenAM 13.5.1
Component Core Server, Server Only
Severity Medium

Description:

The following XUI base URLs do not correctly validate certain redirect URLs allowing an attacker to redirect an end-user to a site they control:

  • XUI/#login
  • XUI/#logout

Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201801-05: Business Logic Vulnerability

Product OpenAM
Affected versions 13.5.0
Fixed versions AM 5.0.0, OpenAM 13.5.1
Component Core Server, Server Only
Severity Medium

Description:

The tokeninfo endpoint does not correctly validate the token signature allowing a carefully crafted id token access to that endpoint.

Workaround:

Block access to the following URI endpoint:

  • /oauth2/tokeninfo

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201801-06: Business Logic Vulnerability

Product OpenAM
Affected versions 12.0.0-12.0.4, 13.0.0, 13.5.0
Fixed versions AM 5.0.0, OpenAM 13.5.1
Component Core Server, Server Only
Severity Medium

Description:

OIDC refresh token is accepted when account is disabled.

Workaround:

Remove a user's account within the directory instead of disabling it.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201801-07: Information Leakage

Product OpenAM
Affected versions OpenAM Community Edition 11.0.3, 12.0.0-12.0.4, 13.0.0, 13.5.0
Fixed versions AM 5.0.0, OpenAM 13.5.1
Component Core Server, Server Only
Severity Medium

Description:

It is possible to obtain information about which accounts exist on the system by sending carefully crafted requests to the following endpoints:

  • /json/authenticate

Workaround:

Block access to the following endpoints:

  • /json/authenticate

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201801-08: Business Logic Vulnerability

Product OpenAM
Affected versions 13.0.0, 13.5.0
Fixed versions AM 5.0.0, OpenAM 13.5.1
Component Core Server, Server Only
Severity Medium

Description:

Insufficient validation of OpenID connect endpoint Authentication Context Class Reference.

Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201801-09: Business Logic Vulnerability

Product OpenAM
Affected versions 13.0.0, 13.5.0
Fixed versions AM 5.0.0, OpenAM 13.5.1
Component Core Server, Server Only
Severity Medium

Description:

Insufficient entropy in Push/Oath recovery codes.

Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201801-10: LDAP Injection Vulnerability

Product OpenAM
Affected versions 13.0.0, 13.5.0
Fixed versions 13.5.1
Component Core Server, Server Only
Severity Medium

Description:

A well crafted request can cause LDAP injection on a particular endpoint.

Workaround:

Disable the following OpenID Connect specific endpoint:

  • oauth2/userinfo

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201801-11: Business Logic Vulnerability

Product OpenAM
Affected versions 13.0.0, 13.5.0
Fixed versions AM 5.0.0, OpenAM 13.5.1
Component Core Server, Server Only
Severity Low

Description:

Users without an email address may be susceptible to password reset using the user self-service endpoint.

Workaround:

Disable User Self Service: Password Reset

Ensure every user has an email registered.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201801-12: Content Spoofing Vulnerability

Product OpenAM
Affected versions 12.0.0-12.0.4, 13.0.0, 13.5.0
Fixed versions AM 5.0.0, OpenAM 13.5.1
Component Core Server, Server Only
Severity Medium

Description:

Using a carefully crafted authentication or malformed URI request an attacker can cause an alternative error message to be displayed.

Workaround:

Block access to the following endpoint:

  • /json/authenticate

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201801-13: Business Logic Vulnerability

Product AM
Affected versions 5.0.0, 5.1.0, 5.1.1
Fixed versions AM 5.5.1
Component Core Server, Server Only
Severity Medium

Description:

Stateless Session blacklisting may fail in certain configurations.

Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201801-14: Business Logic Vulnerability

Product AM
Affected versions 5.0.0, 5.1.0
Fixed versions AM 5.1.1
Component Core Server, Server Only
Severity High

Description:

In certain situations, ID tokens may be reused in an incorrect context, potentially allowing unauthorized access.

Workaround:

Disable "Save OPS Tokens" for the SSO Provider.

Remove the OpenIdConnectSSOProvider from org.forgerock.openam.sso.providers.list in advanced properties and restart the server(s). 

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Security Enhancement

Description:

Some REST APIs in AM expect SSOToken IDs as part of the URL. This may potentially be logged in various locations and misused by a malicious administrator.

This has been fixed in AM 5.5.0 which allows the REST APIs to get the token from headers and/or the POST body.

Workaround:

Restrict access to any system logs that may record  token IDs.

Resolution:

Update/upgrade to a fixed version.

Documentation Known Issues

The following OAuth1 JSP endpoints were removed in 13.5.0:

  • /oauth/deletetoken.jsp
  • /oauth/deleteconsumer.jsp
  • /oauth/registerconsumer.jsp
  • /oauth/userconsole.jsp

These endpoints still exist in OpenAM 13.0.0  but are not listed in the 13.0.0 endpoint documentation: Reference › Service Endpoints

Utilization of these files can be mitigated with the appropriate restrictions and authorization as per the documentation.

As these are likely to be unused and redundant they may be deleted to avoid any potential security issues.

Acknowledgements

Florian Hansemann (https://hansesecure.de/)

Johnny Nipper (https://www.linkedin.com/in/johnnynipper/)

Change Log

The following table tracks changes to the security advisory:

Date  Description
February 24, 2021 Added ForgeRock Identity Platform taxon to improve categorization
August 29, 2019 Updated link for Florian Hansemann in Acknowledgements section.
January 17, 2018 Initial release

Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.