Security Advisory

OpenAM Security Advisory #201605

Last updated Jul 9, 2018

Security vulnerabilities have been discovered in OpenAM components. These issues may be present in versions of OpenAM including 13.0.x, 12.0.x, 11.0.x, 10.1.0-Xpress, 10.0.x, 9.x, and possibly previous versions.


4 readers recommend this article

August 10, 2016

Security vulnerabilities have been discovered in OpenAM components. These issues may be present in versions of OpenAM including 13.0.x, 12.0.x, 11.0.x, 10.1.0-Xpress, 10.0.x, 9.x, and possibly previous versions.

This advisory provides guidance on how to ensure your deployments can be secured. Workarounds or patches are available for all of the issues.

The maximum severity of issues in this advisory is Critical. Deployers should take steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation is to deploy the relevant patches. Patch bundles are available for the following versions (in accordance with ForgeRock’s Maintenance and Patch availability policy):

  • 11.0.3
  • 12.0.2-12.0.3
  • 13.0.0

Customers can obtain these patch bundles from BackStage.

Issue #201605-01: Credential Forgery

Product OpenAM
Affected versions 11.0.0-11.0.3, 12.0.0-12.0.3, 13.0.0
Fixed versions 13.5.0
Component Core Server, Server Only
Severity Critical
Issue Tracker ID OPENAM-9389

Description:

The Persistent Cookie authentication module is vulnerable to credential forgery. In some configurations this may allow an attacker unauthorized access to the system as any user.

Workaround:

Disable Persistent Cookie authentication module instances and require manual authentication, or combine the module with a mandatory second factor.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

#201605-02: Insufficient Authorization

Product OpenAM
Affected versions 13.0.0
Fixed versions 13.5.0
Component Core Server, Server Only
Severity Critical
Issue Tracker ID OPENAM-9394

Description:

Insufficient authorization on a query endpoint allows a non-privileged user to access details of other users on the system.

Workaround:

No workaround available.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201605-03: Authentication Bypass

Product OpenAM
Affected versions 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.3, 13.0.0
Fixed versions 13.5.0
Component Core Server, Server Only
Severity High
Issue Tracker ID OPENAM-7938

Description:

In some configurations a user may be able to bypass additional authentication requirements and login with just username and password.

Workaround:

Ensure all authorization mechanisms and policies enforce all chain/module/service/role requirements have been met after authentication, such as by using OpenAM’s “Authenticated by Module Chain”, “Authenticated by Module Instance” or “Authenticated to Realm” environment conditions in conjunction with a policy agent.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle and apply the workaround.

Issue #201605-04: Cross-Site Request Forgery (CSRF)

Product OpenAM
Affected versions 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.3, 13.0.0
Fixed versions 13.5.0
Component Core Server, Server Only
Severity High
Issue Tracker ID OPENAM-8575

Description:

The OAuth2 consent page is vulnerable to a CSRF attack.

Workaround:

No workaround available.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle and update any customized authorize.ftl template files based on the patch.

Issue #201605-05: Cross Site Scripting (XSS)

Product OpenAM
Affected versions 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.3, 13.0.0
Fixed versions 13.5.0
Component Core Server, Server Only
Severity High
Issue Tracker ID OPENAM-8951, OPENAM-9216

Description:

OpenAM is vulnerable to cross-site scripting (XSS) attacks which could lead to session hijacking or phishing. The following endpoints are vulnerable:

  • /openam/cdcservlet
  • /openam/SAMLPOSTProfileServlet

Workaround:

Protect the listed endpoints with the container (for example using the mod_security Apache module) or filter external requests until a patch is deployed.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201605-06: Credentials appear in CTS access log

Product OpenAM
Affected versions 13.0.0
Fixed versions 13.5.0
Component Core Server, Server Only
Severity Medium
Issue Tracker ID OPENAM-8329

Description:

OAuth 2 client requests using HTTP Basic authentication may result in the base64-encoded credentials being recorded in the CTS access logs.

Workaround:

Use alternative authentication mechanisms for OAuth2 clients, or protect the OpenDJ access logs for the CTS store.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201605-07: Content Spoofing Vulnerability

Product OpenAM
Affected versions 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.3, 13.0.0
Fixed versions 13.5.0
Component Core Server, Server Only
Severity Low
Issue Tracker ID OPENAM-8248, OPENAM-8249

Description:

Using a carefully crafted request an attacker can cause an alternative image and title text to be displayed on an admin console page.

Workaround:

Block access to the following endpoint:

  • /openam/ccversion/Version

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.



Copyright and TrademarksCopyright © 2018 ForgeRock, all rights reserved.

Recommended Books

Loading...