Security Advisory

AM/OpenAM Security Advisory #201901

Last updated Jun 4, 2019

Security vulnerabilities have been discovered in AM/OpenAM components. These issues may be present in AM 6.5.0-6.5.0.1, 6.0.0-6.0.0.6, 5.0.0-5.5.1 and OpenAM 13.0.0-13.5.2, 12.0.x. The OpenAM Community Edition 11.0.3  may also affected.


1 reader recommends this article

June 4, 2019

Security vulnerabilities have been discovered in AM/OpenAM components. These issues may be present in AM 6.5.0-6.5.0.1, 6.0.0-6.0.0.6, 5.0.0-5.5.1 and OpenAM 13.0.0-13.5.2, 12.0.x. The OpenAM Community Edition 11.0.3 may also affected.

This advisory provides guidance on how to ensure your deployments can be secured. Workarounds, patches or Patch Releases are available for all of the issues.

The maximum severity of issues in this advisory is Critical. Deployers should take steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

If an upgrade is not possible, the recommendation is to deploy the relevant patches or if the fix is in a patch release, upgrade to that patch release.

Security Patch bundles are available for the following versions (in accordance with ForgeRock’s Maintenance and Patch availability policy):

  • OpenAM 13.5.2
  • AM 5.1.1
  • AM 5.5.1

Customers can obtain these patch bundles from BackStage.

Issue #201901-01: Vulnerable Component

Product AM
Affected versions 5.0.0-5.5.1, 6.0.0-6.0.0.6, 6.5.0
Fixed versions 6.0.0.7, 6.5.0.2, 6.5.1
Component Core Server
Severity Critical

Description:

Certain configurations of OAuth2 clients may be susceptible to client impersonation.

Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch release/patch bundle:

  • If you are on 6.5.0 or 6.5.0.1, the fix is provided in patch release 6.5.0.2 
  • If you are on 6.0.0.x version, the fix is provided in patch release 6.0.0.7

Issue #201901-02: Broken access control

Product AM
Affected versions 5.5.0-5.5.1, 6.0.0-6.0.0.6, 6.5.0-6.5.0.1
Fixed versions 6.0.0.7, 6.5.0.2, 6.5.1
Component Core Server
Severity Critical

Description:

It may be possible to create policies for unentitled resources.

Workaround:

Block requests to the 'users/xyz/policies' endpoint.

Note, checking the access.audit log would indicate user CREATE actions on the "component":"Policy".

Additionally, auditing policies to look for unsolicited entries is recommended.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch release/patch bundle:

  • If you are on 6.5.0 or 6.5.0.1, the fix is provided in patch release 6.5.0.2 
  • If you are on 6.0.0.x version, the fix is provided in patch release 6.0.0.7

Issue #201901-03: Cross Site Scripting

Product OpenAM, AM
Affected versions 13.0.0-13.5.2, 5.0.0-5.5.1
Fixed versions 6.0.0
Component Core Server
Severity Critical

Description:

AM is vulnerable to cross-site scripting (XSS) attacks which could lead to session hijacking or phishing:

  • /openam/Masthead.jsp. Patch for: 13.5.2, 5.1.1, 5.5.1 Fixed in 6.0.0 +
  • SAMLPOSTProfileServlet. Patch for: 13.5.2, 5.1.1, 5.5.1 Fixed in 6.0.0 +
  • oauth2/authorize. Patch for: 13.5.2, 5.1.1, 5.5.1 Fixed in 6.0.0 +

Workaround:

Protect the listed endpoints with the container (for example using the mod_security Apache module) or filter external requests until a patch is deployed. 

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201901-04: Security Misconfiguration

Product OpenAM, AM
Affected versions 13.0.0-13.5.1, 5.0.0-5.5.1
Fixed versions 13.5.2, 6.0.0
Component Core Server
Severity Medium

Description:

TLS hostname verification is disabled by default on some services.

Workaround:

Remove the standard CAs from the trust store and instead manually add individual certificates or intermediate CAs for the services you need to connect to.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201901-05: Broken Access Control: Federation

Product OpenAM, AM
Affected versions 13.0.0-13.5.1, 5.0.0-5.5.1
Fixed versions 13.5.2, 6.0.0
Component Core Server
Severity Medium

Description:

It may be possible to bypass authentication in certain SAML session upgrade scenarios.

Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201901-06:Open Redirect

Product AM
Affected versions 5.0.0-5.5.1
Fixed versions 6.0.0
Component Core Server
Severity Medium

Description:

The Agent based CDSSO may not correctly validate redirect URLs allowing an attacker to redirect an end-user to a site they control.

Workaround:

Ensure that Enable Cookie Hijacking Prevention is enabled i.e com.sun.identity.enableUniqueSSOTokenCookie is set to true.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201901-07: Business Logic Vulnerability

Product OpenAM, AM
Affected versions 13.0.0-13.5.1, 5.0.0-5.5.1
Fixed versions 13.5.2, 6.0.0
Component Core Server
Severity High

Description:

In some circumstances memory account lockout may fail to work. This does not affect persistent lockout.

Workaround:

Use persistent (physical) lockout.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue 201901-08: Open Redirect and Potential XSS

Product OpenAM, AM
Affected versions 13.5.0, 5.0.0-5.1.1
Fixed versions 13.5.2, 5.5.0
Component Core Server
Severity Medium

Description:

Error handling by the /oauth2/authorize endpoint may result in an unvalidated redirect URL and potential reflected XSS.

Workaround:

None

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Reference:

CVE-2017-14394, CVE-2017-14395  

Change Log

The following table tracks changes to the security advisory:

Date  Description
June 4, 2019 Initial release


Copyright and TrademarksCopyright © 2019 ForgeRock, all rights reserved.
Loading...