Security Advisory
ForgeRock Identity Platform
Does not apply to Identity Cloud

OpenAM Security Advisory #201506

Last updated Feb 24, 2021

Security vulnerabilities have been discovered in OpenAM components. These issues are present in versions of OpenAM including 12.0.x and 11.0.x.


October 13, 2015

Security vulnerabilities have been discovered in OpenAM components. These issues are present in versions of OpenAM including 12.0.x and 11.0.x.

This advisory provides guidance on how to ensure your deployments can be secured. Workarounds or patches are available for all of the issues, which are also included in the 12.0.2 maintenance release.

The maximum severity of issues in this advisory is Critical. Deployers should take immediate steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation is to upgrade to OpenAM 12.0.2 or deploy the relevant patches. Patch bundles are available for the following versions:

  • 11.0.3
  • 12.0.1

Customers can obtain these patch bundles from BackStage.

Issue #201506-01: Thread-safety issues with CTS when encryption is enabled

Product OpenAM
Affected versions 11.0.0-11.0.3 and 12.0.0-12.0.1
Fixed versions 12.0.2
Component Core Server, Server Only
Severity Critical
Issue Tracker ID OPENAM-6755

Description:

When the Core Token Service token encryption is enabled and the system is under a heavy load, it is possible that incorrect session/SAML/OAuth2 tokens are returned by the CTS.

Workaround:

Disable token encryption by setting the following property to false:

com.sun.identity.session.repository.enableEncryption

In the OpenAM console via Configuration > Servers and Sites > Default Server Settings > Advanced or via ssoadm:

$ ./ssoadm update-server-cfg --servername default --adminid amadmin --password-file /tmp/pwd.txt --attributevalues com.sun.identity.session.repository.enableEncryption=false

This setting is false by default.

Note

By changing this setting, any existing encrypted tokens stored in CTS will become unreadable by OpenAM.

Resolution:

Use the workaround or update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201506-02: Possible user impersonation when using OpenAM as an OAuth2/OIDC Provider

Product OpenAM
Affected versions 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.1
Fixed versions 12.0.2
Component Core Server, Server Only
Severity High
Issue Tracker ID OPENAM-6660

Description:

When using multiple realms, it is possible for an authenticated user in realmA to acquire OAuth2 and OpenID Connect tokens that correspond to realmB.

Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Change Log

The following table tracks changes to the security advisory:

Date  Description
February 24, 2021 Added ForgeRock Identity Platform taxon to improve categorization


Copyright and TrademarksCopyright © 2021 ForgeRock, all rights reserved.
Loading...