Security Advisory

AM Agents Security Advisory #201905

Last updated Nov 5, 2019

Security vulnerabilities have been discovered in the AM Web and Java Agents. These issues are present in Agents 5.x.


November 05, 2019

Security vulnerabilities have been found in the AM Web and Java Agents.

This advisory provides guidance on how to ensure your deployments can be secured. Fixes for the vulnerabilities are available in the latest releases. 

The highest rating for a Web Agent vulnerability is Critical and is exploitable; the highest rating for a Java Agent vulnerability is also Critical but is not exploitable. Deployers should take immediate steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation is to upgrade to AM Web Agent 5.6.2.0 and AM Java Agent 5.6.2.0.

Customers can obtain the AM Web and Java Agents fixed version from BackStage:

Issue #201905-01

Product AM Web Agent
Affected versions 5.0, 5.0.1.0, 5.0.1.1, 5.0.1.2, 5.1.0, 5.5.0, 5.5.1.0, 5.5.1.1
Fixed versions 5.6.2.0
Component Core Server
Severity Critical

Description:

AM Web Agent uses a field called "suid" which contains the session id. This can be spoofed in the id_token or copied from another user's token.

Workaround:

N/A

Resolution:

Upgrade to version 5.6.2.0.

Issue #201905-02

Product AM Java Agent
Affected versions 5.0, 5.0.1, 5.0.1.1, 5.0.1.2, 5.5.0, 5.5.1, 5.6.0, 5.6.1
Fixed versions 5.6.2.0
Component Core Server
Severity Critical

Description:

Addresses the following CVEs found in the Jackson-Databind library:

  • CVE-2019-16335 - A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource.
  • CVE-2019-14540 - A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.

This is a critical defect, but deemed not exploitable because the Agent does not use Polymorphic typing. This has been updated in case the customer or container uses our version of jackson-databind.

Workaround:

Medium: On Jackson CVEs: Don’t Panic — Here is what you need to know says:

  1. Try to keep up with updated versions of Jackson (jackson-databind): it should always be safe to upgrade to the latest patch version of given minor version (safest in the sense they should be no breaking changes to functionality)
  2. If possible, AVOID enabling default typing (since it is usually class name based). It is better to be explicit about specifying where polymorphism is needed.
  3. AVOID using java.lang.Object (or, java.util.Serializable) as the nominal type of polymorphic values, regardless of whether you use per-type, per-property, or Default Typing
  4. If possible USE “type name” and NOT classname as type id: @JsonTypeInfo(use = Id.NAME) — this may require annotation of type name (see @JsonTypeName and @JsonSubTypes)

Especially consider the fact that if you can do either (3) or (4), you will prevent use of this class of exploits.

Resolution:

Upgrade to version 5.6.2.0, which includes Jackson-Databind version 2.10.

Issue #201905-03

Product AM Java Agent
Affected versions 5.0, 5.0.1, 5.0.1.1, 5.0.1.2, 5.5.0, 5.5.1, 5.6.0, 5.6.1
Fixed versions 5.6.2.0
Component Core Server
Severity Critical

Description:

Addresses the following CVEs found in the Jackson-Databind library:

  • CVE-2019-16942 - A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
  • CVE-2019-16943 - A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

This is a critical defect, but deemed not exploitable because the Agent does not use Polymorphic typing. This has been updated in case the customer or container uses our version of jackson-databind.

Workaround:

Medium: On Jackson CVEs: Don’t Panic — Here is what you need to know says:

  1. Try to keep up with updated versions of Jackson (jackson-databind): it should always be safe to upgrade to the latest patch version of given minor version (safest in the sense they should be no breaking changes to functionality)
  2. If possible, AVOID enabling default typing (since it is usually class name based). It is better to be explicit about specifying where polymorphism is needed.
  3. AVOID using java.lang.Object (or, java.util.Serializable) as the nominal type of polymorphic values, regardless of whether you use per-type, per-property, or Default Typing
  4. If possible USE “type name” and NOT classname as type id: @JsonTypeInfo(use = Id.NAME) — this may require annotation of type name (see @JsonTypeName and @JsonSubTypes)

Especially consider the fact that if you can do either (3) or (4), you will prevent use of this class of exploits.

Resolution:

Upgrade to version 5.6.2.0, which includes Jackson-Databind version 2.10.

Issue #201905-04

Product AM Web Agent
Affected versions 5.0, 5.0.1, 5.0.1.1, 5.0.1.2, 5.1.0, 5.5.0, 5.6.0, 5.6.1
Fixed versions 5.6.2.0
Component Core Server
Severity Medium

Description:

OAuth2 id token is vulnerable to a CSRF attack.

Workaround:

Use HTTPS transport.

Resolution:

Upgrade to version 5.6.2.0.

Issue #201905-05

Product AM Web Agent and Java Agent
Affected versions 5.0, 5.0.1, 5.0.1.1, 5.0.1.2, 5.1.0, 5.5.0, 5.6.0, 5.6.1
Fixed versions 5.6.2.0
Component Core Server
Severity Medium

Description:

Secure cookie property does not function, which results in it not being set when requested. It should be the default for https to prevent non-SSL manipulation of the cookie.

Workaround:

N/A

Resolution:

Upgrade to version 5.6.2.0.

Issue #201905-06

Product AM Web and Java Agent
Affected versions 5.0, 5.0.1, 5.0.1.1, 5.0.1.2, 5.1.0, 5.5.0, 5.6.0, 5.6.1
Fixed versions 5.6.2.0
Component Core Server
Severity Medium

Description:

Agent logout page should set no-cache header because if the logout page is taken from the cache, the logout will not happen. This could lead to a customer not being forced to revalidate credentials.

Workaround:

N/A

Resolution:

Upgrade to version 5.6.2.0.

Issue #201905-07

Product AM Web Agent
Affected versions 5.6.0, 5.6.1, 5.6.1.1
Fixed versions 5.6.2.0
Component Core Server
Severity Low

Description:

Large amounts of data in requests or responses can cause the agent to crash. This can happen in some configurations due to the extended request size or when there is a lot of data being requested from AM in terms of attributes.

Workaround:

Consider reverting to default request sizes. Minimize the use of longer fields in session/profile/response attributes.

Resolution:

Upgrade to version 5.6.2.0.

Change Log

The following table tracks changes to the security advisory:

Date  Description
5th November 2019 Initial release


Copyright and TrademarksCopyright © 2019 ForgeRock, all rights reserved.
Loading...