AM Agents Security Advisory #201905
Security vulnerabilities have been discovered in the AM Web and Java Agents. These issues are present in Agents 5.x.
November 05, 2019
Security vulnerabilities have been found in the AM Web and Java Agents.
This advisory provides guidance on how to ensure your deployments can be secured. Fixes for the vulnerabilities are available in the latest releases.
The highest rating for a Web Agent vulnerability is Critical and is exploitable; the highest rating for a Java Agent vulnerability is also Critical but is not exploitable. Deployers should take immediate steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.
The recommendation is to upgrade to AM Web Agent 5.6.2.0 and AM Java Agent 5.6.2.0.
Customers can obtain the AM Web and Java Agents fixed version from BackStage:
Issue #201905-01
| Product | AM Web Agent |
|---|---|
| Affected versions | 5.0, 5.0.1.0, 5.0.1.1, 5.0.1.2, 5.1.0, 5.5.0, 5.5.1.0, 5.5.1.1 |
| Fixed versions | 5.6.2.0 |
| Component | Core Server |
| Severity | Critical |
Description:
AM Web Agent uses a field called "suid" which contains the session id. This can be spoofed in the id_token or copied from another user's token.
Workaround:
N/A
Resolution:
Upgrade to version 5.6.2.0.
Issue #201905-02
| Product | AM Java Agent |
|---|---|
| Affected versions | 5.0, 5.0.1, 5.0.1.1, 5.0.1.2, 5.5.0, 5.5.1, 5.6.0, 5.6.1 |
| Fixed versions | 5.6.2.0 |
| Component | Core Server |
| Severity | Critical |
Description:
Addresses the following CVEs found in the Jackson-Databind library:
- CVE-2019-16335 - A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource.
- CVE-2019-14540 - A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
This is a critical defect, but deemed not exploitable because the Agent does not use Polymorphic typing. This has been updated in case the customer or container uses our version of jackson-databind.
Workaround:
Medium: On Jackson CVEs: Don’t Panic — Here is what you need to know says:
- Try to keep up with updated versions of Jackson (jackson-databind): it should always be safe to upgrade to the latest patch version of given minor version (safest in the sense they should be no breaking changes to functionality)
- If possible, AVOID enabling default typing (since it is usually class name based). It is better to be explicit about specifying where polymorphism is needed.
- AVOID using java.lang.Object (or, java.util.Serializable) as the nominal type of polymorphic values, regardless of whether you use per-type, per-property, or Default Typing
- If possible USE “type name” and NOT classname as type id: @JsonTypeInfo(use = Id.NAME) — this may require annotation of type name (see @JsonTypeName and @JsonSubTypes)
Especially consider the fact that if you can do either (3) or (4), you will prevent use of this class of exploits.
Resolution:
Upgrade to version 5.6.2.0, which includes Jackson-Databind version 2.10.
Issue #201905-03
| Product | AM Java Agent |
|---|---|
| Affected versions | 5.0, 5.0.1, 5.0.1.1, 5.0.1.2, 5.5.0, 5.5.1, 5.6.0, 5.6.1 |
| Fixed versions | 5.6.2.0 |
| Component | Core Server |
| Severity | Critical |
Description:
Addresses the following CVEs found in the Jackson-Databind library:
- CVE-2019-16942 - A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
- CVE-2019-16943 - A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.
This is a critical defect, but deemed not exploitable because the Agent does not use Polymorphic typing. This has been updated in case the customer or container uses our version of jackson-databind.
Workaround:
Medium: On Jackson CVEs: Don’t Panic — Here is what you need to know says:
- Try to keep up with updated versions of Jackson (jackson-databind): it should always be safe to upgrade to the latest patch version of given minor version (safest in the sense they should be no breaking changes to functionality)
- If possible, AVOID enabling default typing (since it is usually class name based). It is better to be explicit about specifying where polymorphism is needed.
- AVOID using java.lang.Object (or, java.util.Serializable) as the nominal type of polymorphic values, regardless of whether you use per-type, per-property, or Default Typing
- If possible USE “type name” and NOT classname as type id: @JsonTypeInfo(use = Id.NAME) — this may require annotation of type name (see @JsonTypeName and @JsonSubTypes)
Especially consider the fact that if you can do either (3) or (4), you will prevent use of this class of exploits.
Resolution:
Upgrade to version 5.6.2.0, which includes Jackson-Databind version 2.10.
Issue #201905-04
| Product | AM Web Agent |
|---|---|
| Affected versions | 5.0, 5.0.1, 5.0.1.1, 5.0.1.2, 5.1.0, 5.5.0, 5.6.0, 5.6.1 |
| Fixed versions | 5.6.2.0 |
| Component | Core Server |
| Severity | Medium |
Description:
OAuth2 id token is vulnerable to a CSRF attack.
Workaround:
Use HTTPS transport.
Resolution:
Upgrade to version 5.6.2.0.
Issue #201905-05
| Product | AM Web Agent and Java Agent |
|---|---|
| Affected versions | 5.0, 5.0.1, 5.0.1.1, 5.0.1.2, 5.1.0, 5.5.0, 5.6.0, 5.6.1 |
| Fixed versions | 5.6.2.0 |
| Component | Core Server |
| Severity | Medium |
Description:
Secure cookie property does not function, which results in it not being set when requested. It should be the default for https to prevent non-SSL manipulation of the cookie.
Workaround:
N/A
Resolution:
Upgrade to version 5.6.2.0.
Issue #201905-06
| Product | AM Web and Java Agent |
|---|---|
| Affected versions | 5.0, 5.0.1, 5.0.1.1, 5.0.1.2, 5.1.0, 5.5.0, 5.6.0, 5.6.1 |
| Fixed versions | 5.6.2.0 |
| Component | Core Server |
| Severity | Medium |
Description:
Agent logout page should set no-cache header because if the logout page is taken from the cache, the logout will not happen. This could lead to a customer not being forced to revalidate credentials.
Workaround:
N/A
Resolution:
Upgrade to version 5.6.2.0.
Issue #201905-07
| Product | AM Web Agent |
|---|---|
| Affected versions | 5.6.0, 5.6.1, 5.6.1.1 |
| Fixed versions | 5.6.2.0 |
| Component | Core Server |
| Severity | Low |
Description:
Large amounts of data in requests or responses can cause the agent to crash. This can happen in some configurations due to the extended request size or when there is a lot of data being requested from AM in terms of attributes.
Workaround:
Consider reverting to default request sizes. Minimize the use of longer fields in session/profile/response attributes.
Resolution:
Upgrade to version 5.6.2.0.
Change Log
The following table tracks changes to the security advisory:
| Date | Description |
|---|---|
| 5th November 2019 | Initial release |