Security Advisory

OpenAM Security Advisory #201505

Last updated Jul 9, 2018

Security vulnerabilities have been discovered in OpenAM components including the Core Server and Distributed Authentication Server (DAS). These issues are present in versions of OpenAM including 12.0.0, 11.0.x, 10.1.0-Xpress, 10.0.x, 9.x, and possibly previous versions.


1 reader recommends this article

July 13, 2015

Security vulnerabilities have been discovered in OpenAM components including the Core Server and Distributed Authentication Server (DAS). These issues are present in versions of OpenAM including 12.0.0, 11.0.x, 10.1.0-Xpress, 10.0.x, 9.x, and possibly previous versions.

This advisory provides guidance on how to ensure your deployments can be secured. Workarounds or patches are available for all of the issues, which are also included in the 12.0.1 maintenance release.

The maximum severity of issues in this advisory is Critical. Deployers should take immediate steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation is to upgrade to OpenAM 12.0.1 or deploy the relevant patches. Patch bundles are available for the following versions:

  • 10.0.2
  • 11.0.3
  • 12.0.0

Customers can obtain these patch bundles from BackStage.

Issue #201505-01: Deserialization of untrusted data

Product OpenAM
Affected versions 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3 and 12.0.0
Fixed versions 12.0.1
Component Core Server, Server Only, Distributed Authentication Service
Severity Critical
Issue Tracker ID OPENAM-5925

Description:

Using a well crafted request an attacker may be able to perform remote code execution.

Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201505-02: Authentication bypass in SAMLv2

Product OpenAM
Affected versions 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3 and 12.0.0
Fixed versions 12.0.1
Component Core Server, Server Only
Severity High

Description:​​

When OpenAM acts as a SAMLv2 Identity Provider and more than one realm has been configured it is possible to obtain access to Service Providers that have been configured in a different realm than the current session's realm.

Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201505-03: XML injection vulnerability

Product OpenAM
Affected versions 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3 and 12.0.0
Fixed versions 12.0.1
Component Core Server, Server Only
Severity High

Description:

A well crafted XML document can be used to exploit the default high entity expansion limits of the xml parser and cause a denial of service attack for a short interval.

Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle. Once the patch is deployed the number of allowed XML entity expansions can be configured via the -Dorg.forgerock.util.xml.entity.expansion.limit=5000 JVM parameter. The setting defaults to 5000.

Issue #201505-04: A non admin user can import/export XACML policies via ssoadm

Product OpenAM
Affected versions 12.0.0
Fixed versions 12.0.1
Component ssoadm
Severity Medium

Description:​​

A user with an account in OpenAM that has access to a configured ssoadm tool can import, export and list XACML policies.

Workaround:

Restrict access to the ssoadm command-line tool to only system administrators.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201505-05: Insecure default passwords

Product OpenAM
Affected versions 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3 and 12.0.0
Fixed versions 12.0.1
Component OpenDJ, DSEE data stores
Severity Medium

Description:

When OpenAM is configured with external OpenDJ or Oracle Directory Server Enterprise Edition (formerly Sun DSEE), or when the "Load Schema when saved" feature is used, the users created will have unsafe passwords.

Workaround:

When using DSEE:

  • Remove the following entries from the directory:
    cn=dsameuser,ou=DSAME Users,ROOT_SUFFIX 
    cn=amldapuser,ou=DSAME Users,ROOT_SUFFIX
  • Remove the ACIs targeting above users from the ROOT_SUFFIX entry

When using OpenDJ:

  • Remove the following entries from the directory:
    cn=ldapuser,ou=opensso adminusers,ROOT_SUFFIX 
    cn=openssouser,ou=opensso adminusers,ROOT_SUFFIX
  • Remove the ACIs targeting above users from the ROOT_SUFFIX entry

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle and perform the steps listed in the workaround to remove the faulty entries from the affected directories.



Copyright and TrademarksCopyright © 2018 ForgeRock, all rights reserved.

Recommended Books

Loading...