AM/OpenAM Security Advisory #201901
Security vulnerabilities have been discovered in AM/OpenAM components. These issues may be present in AM 6.5.0-6.5.0.1, 6.0.0-6.0.0.6, 5.0.0-5.5.1 and OpenAM 13.0.0-13.5.2, 12.0.x. The OpenAM Community Edition 11.0.3 may also affected.
3 readers recommend this article
June 4, 2019
Security vulnerabilities have been discovered in AM/OpenAM components. These issues may be present in AM 6.5.0-6.5.0.1, 6.0.0-6.0.0.6, 5.0.0-5.5.1 and OpenAM 13.0.0-13.5.2, 12.0.x. The OpenAM Community Edition 11.0.3 may also affected.
This advisory provides guidance on how to ensure your deployments can be secured. Workarounds, patches or Patch Releases are available for all of the issues.
The maximum severity of issues in this advisory is Critical. Deployers should take steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.
If an upgrade is not possible, the recommendation is to deploy the relevant patches or if the fix is in a patch release, upgrade to that patch release.
Security Patch bundles are available for the following versions (in accordance with ForgeRock’s ForgeRock Maintenance Release and Patch Policy):
- OpenAM 13.5.2
- AM 5.1.1
- AM 5.5.1
Customers can obtain these patch bundles from BackStage.
Issue #201901-01: Vulnerable Component
| Product | AM |
|---|---|
| Affected versions | 5.0.0-5.5.1, 6.0.0-6.0.0.6, 6.5.0 |
| Fixed versions | 6.0.0.7, 6.5.0.2, 6.5.1 |
| Component | Core Server |
| Severity | Critical |
Description:
Certain configurations of OAuth2 clients may be susceptible to client impersonation.
Workaround:
None.
Resolution:
Update/upgrade to a fixed version or deploy the relevant patch release/patch bundle:
- If you are on 6.5.0 or 6.5.0.1, the fix is provided in patch release 6.5.0.2
- If you are on 6.0.0.x version, the fix is provided in patch release 6.0.0.7
Issue #201901-02: Broken access control
| Product | AM |
|---|---|
| Affected versions | 5.5.0-5.5.1, 6.0.0-6.0.0.6, 6.5.0-6.5.0.1 |
| Fixed versions | 6.0.0.7, 6.5.0.2, 6.5.1 |
| Component | Core Server |
| Severity | Critical |
Description:
It may be possible to create policies for unentitled resources.
Workaround:
Block requests to the 'users/xyz/policies' endpoint.
Note, checking the access.audit log would indicate user CREATE actions on the "component":"Policy".
Additionally, auditing policies to look for unsolicited entries is recommended.
Resolution:
Update/upgrade to a fixed version or deploy the relevant patch release/patch bundle:
- If you are on 6.5.0 or 6.5.0.1, the fix is provided in patch release 6.5.0.2
- If you are on 6.0.0.x version, the fix is provided in patch release 6.0.0.7
Issue #201901-03: Cross Site Scripting
| Product | OpenAM, AM |
|---|---|
| Affected versions | 13.0.0-13.5.2, 5.0.0-5.5.1 |
| Fixed versions | 6.0.0 |
| Component | Core Server |
| Severity | Critical |
Description:
AM is vulnerable to cross-site scripting (XSS) attacks which could lead to session hijacking or phishing:
- /openam/Masthead.jsp. Patch for: 13.5.2, 5.1.1, 5.5.1 Fixed in 6.0.0 +
- SAMLPOSTProfileServlet. Patch for: 13.5.2, 5.1.1, 5.5.1 Fixed in 6.0.0 +
- oauth2/authorize. Patch for: 13.5.2, 5.1.1, 5.5.1 Fixed in 6.0.0 +
Workaround:
Protect the listed endpoints with the container (for example using the mod_security Apache module) or filter external requests until a patch is deployed.
Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.
Issue #201901-04: Security Misconfiguration
| Product | OpenAM, AM |
|---|---|
| Affected versions | 13.0.0-13.5.1, 5.0.0-5.5.1 |
| Fixed versions | 13.5.2, 6.0.0 |
| Component | Core Server |
| Severity | Medium |
Description:
TLS hostname verification is disabled by default on some services.
Workaround:
Remove the standard CAs from the trust store and instead manually add individual certificates or intermediate CAs for the services you need to connect to.
Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.
Issue #201901-05: Broken Access Control: Federation
| Product | OpenAM, AM |
|---|---|
| Affected versions | 13.0.0-13.5.1, 5.0.0-5.5.1 |
| Fixed versions | 13.5.2, 6.0.0 |
| Component | Core Server |
| Severity | Medium |
Description:
It may be possible to bypass authentication in certain SAML session upgrade scenarios.
Workaround:
None.
Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.
Issue #201901-06:Open Redirect
| Product | AM |
|---|---|
| Affected versions | 5.0.0-5.5.1 |
| Fixed versions | 6.0.0 |
| Component | Core Server |
| Severity | Medium |
Description:
The Agent based CDSSO may not correctly validate redirect URLs allowing an attacker to redirect an end-user to a site they control.
Workaround:
Ensure that Enable Cookie Hijacking Prevention is enabled i.e com.sun.identity.enableUniqueSSOTokenCookie is set to true.
Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.
Issue #201901-07: Business Logic Vulnerability
| Product | OpenAM, AM |
|---|---|
| Affected versions | 13.0.0-13.5.1, 5.0.0-5.5.1 |
| Fixed versions | 13.5.2, 6.0.0 |
| Component | Core Server |
| Severity | High |
Description:
In some circumstances memory account lockout may fail to work. This does not affect persistent lockout.
Workaround:
Use persistent (physical) lockout.
Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.
Issue 201901-08: Open Redirect and Potential XSS
| Product | OpenAM, AM |
|---|---|
| Affected versions | 13.5.0, 5.0.0-5.1.1 |
| Fixed versions | 13.5.2, 5.5.0 |
| Component | Core Server |
| Severity | Medium |
Description:
Error handling by the /oauth2/authorize endpoint may result in an unvalidated redirect URL and potential reflected XSS.
Workaround:
None
Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.
Reference:
CVE-2017-14394, CVE-2017-14395
Change Log
The following table tracks changes to the security advisory:
| Date | Description |
|---|---|
| February 24, 2021 | Added ForgeRock Identity Platform taxon to improve categorization |
| June 4, 2019 | Initial release |