April 14, 2016
A security vulnerability has been discovered in the OpenAM Web Policy Agent. This issue is present in version 4.0.0 of the OpenAM Web Policy Agent.
This advisory provides guidance on how to ensure your deployments can be secured. A workaround and a patch is available for the issue.
The maximum severity of the issue in this advisory is Critical. Deployers should take steps as outlined in this advisory and apply the relevant update at the earliest opportunity.
The recommendation is to deploy the following maintenance release of the Web Policy Agent (in accordance with ForgeRock’s Maintenance and Patch availability policy):
Customers can obtain this updated Web Agent version from BackStage.
Issue #201603-01: Business Logic Vulnerability
|Product||OpenAM Web Policy Agent|
|Issue Tracker ID||AMAGENTS-8|
When the Agent not enforced list contains a wildcard entry it may be possible to access any protected resource on the server without the need for authorization.
Set ‘com.sun.identity.agents.config.ignore.path.info.for.not.enforced.list’ to false and define explicit security rules for your website not-enforced resources.
Alternatively, set ‘com.forgerock.agents.notenforced.url.regex.enable’ to true and use regular expression based ‘not-enforced rules’ as per OpenAM Web Policy Agent User's Guide › Configuring Web Policy Agents › Configuring Web Policy Agent Application Properties, instead of the older wildcard approach. Even so, explicit ‘not-enforced rules’ will need to be created.
However, it should be noted that neither of these workarounds will work well with dynamic URLs. In this instance, the only solution is to upgrade to the 4.0.1 Web Agent Release.
Use the workaround or deploy the relevant 4.0.1 Web Policy Agent Release.