Security Advisory
ForgeRock Identity Platform
Does not apply to Identity Cloud

OpenAM Web Policy Agent Security Advisory #201603

Last updated Feb 24, 2021

A security vulnerability has been discovered in the OpenAM Web Policy Agent. This issue is present in version 4.0.0 of the OpenAM Web Policy Agent.


1 reader recommends this article

April 14, 2016

A security vulnerability has been discovered in the OpenAM Web Policy Agent. This issue is present in version 4.0.0 of the OpenAM Web Policy Agent.

This advisory provides guidance on how to ensure your deployments can be secured. A workaround and a patch is available for the issue.

The maximum severity of the issue in this advisory is Critical. Deployers should take steps as outlined in this advisory and apply the relevant update at the earliest opportunity.

The recommendation is to deploy the following maintenance release of the Web Policy Agent (in accordance with ForgeRock’s Maintenance and Patch availability policy):

  • 4.0.1

Customers can obtain this updated Web Agent version from BackStage.

Issue #201603-01: Business Logic Vulnerability

Product OpenAM Web Policy Agent
Affected versions 4.0.0
Fixed versions 4.0.1
Component Web Agent
Severity Critical
Issue Tracker ID AMAGENTS-8

Description:

When the Agent not enforced list contains a wildcard entry it may be possible to access any protected resource on the server without the need for authorization.

Workaround:

Set ‘com.sun.identity.agents.config.ignore.path.info.for.not.enforced.list’ to false and define explicit security rules for your website not-enforced resources.

Alternatively, set ‘com.forgerock.agents.notenforced.url.regex.enable’ to true and use regular expression based ‘not-enforced rules’ as per OpenAM Web Policy Agent User's Guide › Configuring Web Policy Agents › Configuring Web Policy Agent Application Properties, instead of the older wildcard approach. Even so, explicit ‘not-enforced rules’ will need to be created. 

However, it should be noted that neither of these workarounds will work well with dynamic URLs. In this instance, the only solution is to upgrade to the 4.0.1 Web Agent Release.

Resolution:

Use the workaround or deploy the relevant 4.0.1 Web Policy Agent Release.

Change Log

The following table tracks changes to the security advisory:

Date  Description
February 24, 2021 Added ForgeRock Identity Platform taxon to improve categorization


Copyright and TrademarksCopyright © 2021 ForgeRock, all rights reserved.
Loading...