OpenAM Security Advisory #201505
Security vulnerabilities have been discovered in OpenAM components including the Core Server and Distributed Authentication Server (DAS). These issues are present in versions of OpenAM including 12.0.0, 11.0.x, 10.1.0-Xpress, 10.0.x, 9.x, and possibly previous versions.
1 reader recommends this article
July 13, 2015
Security vulnerabilities have been discovered in OpenAM components including the Core Server and Distributed Authentication Server (DAS). These issues are present in versions of OpenAM including 12.0.0, 11.0.x, 10.1.0-Xpress, 10.0.x, 9.x, and possibly previous versions.
This advisory provides guidance on how to ensure your deployments can be secured. Workarounds or patches are available for all of the issues, which are also included in the 12.0.1 maintenance release.
The maximum severity of issues in this advisory is Critical. Deployers should take immediate steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.
The recommendation is to upgrade to OpenAM 12.0.1 or deploy the relevant patches. Patch bundles are available for the following versions:
- 10.0.2
- 11.0.3
- 12.0.0
Customers can obtain these patch bundles from BackStage.
Issue #201505-01: Deserialization of untrusted data
| Product | OpenAM |
|---|---|
| Affected versions | 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3 and 12.0.0 |
| Fixed versions | 12.0.1 |
| Component | Core Server, Server Only, Distributed Authentication Service |
| Severity | Critical |
| Issue Tracker ID | OPENAM-5925 |
Description:
Using a well crafted request an attacker may be able to perform remote code execution.
Workaround:
None.
Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.
Issue #201505-02: Authentication bypass in SAMLv2
| Product | OpenAM |
|---|---|
| Affected versions | 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3 and 12.0.0 |
| Fixed versions | 12.0.1 |
| Component | Core Server, Server Only |
| Severity | High |
Description:
When OpenAM acts as a SAMLv2 Identity Provider and more than one realm has been configured it is possible to obtain access to Service Providers that have been configured in a different realm than the current session's realm.
Workaround:
None.
Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.
Issue #201505-03: XML injection vulnerability
| Product | OpenAM |
|---|---|
| Affected versions | 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3 and 12.0.0 |
| Fixed versions | 12.0.1 |
| Component | Core Server, Server Only |
| Severity | High |
Description:
A well crafted XML document can be used to exploit the default high entity expansion limits of the xml parser and cause a denial of service attack for a short interval.
Workaround:
None.
Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle. Once the patch is deployed the number of allowed XML entity expansions can be configured via the -Dorg.forgerock.util.xml.entity.expansion.limit=5000 JVM parameter. The setting defaults to 5000.
Issue #201505-04: A non admin user can import/export XACML policies via ssoadm
| Product | OpenAM |
|---|---|
| Affected versions | 12.0.0 |
| Fixed versions | 12.0.1 |
| Component | ssoadm |
| Severity | Medium |
Description:
A user with an account in OpenAM that has access to a configured ssoadm tool can import, export and list XACML policies.
Workaround:
Restrict access to the ssoadm command-line tool to only system administrators.
Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.
Issue #201505-05: Insecure default passwords
| Product | OpenAM |
|---|---|
| Affected versions | 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3 and 12.0.0 |
| Fixed versions | 12.0.1 |
| Component | OpenDJ, DSEE data stores |
| Severity | Medium |
Description:
When OpenAM is configured with external OpenDJ or Oracle Directory Server Enterprise Edition (formerly Sun DSEE), or when the "Load Schema when saved" feature is used, the users created will have unsafe passwords.
Workaround:
When using DSEE:
- Remove the following entries from the directory:
cn=dsameuser,ou=DSAME Users,ROOT_SUFFIX cn=amldapuser,ou=DSAME Users,ROOT_SUFFIX
- Remove the ACIs targeting above users from the ROOT_SUFFIX entry
When using OpenDJ:
- Remove the following entries from the directory:
cn=ldapuser,ou=opensso adminusers,ROOT_SUFFIX cn=openssouser,ou=opensso adminusers,ROOT_SUFFIX
- Remove the ACIs targeting above users from the ROOT_SUFFIX entry
Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle and perform the steps listed in the workaround to remove the faulty entries from the affected directories.