AM/OpenAM Web Agents Security Advisory #201904
Security vulnerabilities have been discovered in AM/OpenAM Web agents.
September 4, 2019
2 security vulnerabilities have been discovered in AM/OpenAM Web agents.
This advisory provides guidance on how to ensure your deployments can be secured. A fix for the vulnerabilities is available in the latest releases for Web Agents 4 and 5 respectively.
The maximum severity of issues in this advisory is High. Deployers should take steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.
The recommendation is to upgrade to Web Agents 5.6.1.1 or Web Agents 4.2.1.2.
Customers can obtain the Agents fixed versions from Backstage.
Issue #201904-01
Product | OpenAM Web Agents |
---|---|
Affected versions | 4.0.x, 4.1.x, 4.2.0, 4.2.1.0, 4.2.1.1 |
Fixed versions | 4.2.1.2 |
Component | Web Agent |
Severity | High |
Description:
In libexpat in Expat before 2.2.7, XML input (including XML names that contain a large number of colons) could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).
https://www.cvedetails.com/cve/CVE-2018-20843/
Workaround:
N/A
Resolution:
Upgrade to Web Agent 4.2.1.2 (which includes an updated expat library version) or use Agents 5.x which is not affected because it does not use this library.
Issue #201904-02
Product | AM/OpenAM Web Agents |
---|---|
Affected versions | 4.1.x, 4.2.0, 4.2.1.0, 4.2.1.1, 5.0.x, 5.5.x |
Fixed versions | 4.2.1.2, 5.6.0.0 |
Component | Nginx Web Agent |
Severity | High |
Description:
The Nginx Web Agent does not obey client body size max directive of chunk encoded data. Apache and IIS agents are not affected.
Workaround
Agents 4.x only: Don't use Post Data Preservation.
Resolution:
Update/upgrade to a fixed version.
Change Log
The following table tracks changes to the security advisory:
Date | Description |
---|---|
August 18, 2022 | No changes to content - just corrected Backstage link |
February 24, 2021 | Added ForgeRock Identity Platform taxon to improve categorization |
September 4, 2019 | Initial release |