September 4, 2019
2 security vulnerabilities have been discovered in AM/OpenAM Web agents.
This advisory provides guidance on how to ensure your deployments can be secured. A fix for the vulnerabilities is available in the latest releases for Web Agents 4 and 5 respectively.
The maximum severity of issues in this advisory is High. Deployers should take steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.
The recommendation is to upgrade to Web Agents 22.214.171.124 or Web Agents 126.96.36.199.
Customers can obtain the Agents fixed versions from BackStage.
|Product||OpenAM Web Agents|
|Affected versions||4.0.x, 4.1.x, 4.2.0, 188.8.131.52, 184.108.40.206|
In libexpat in Expat before 2.2.7, XML input (including XML names that contain a large number of colons) could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).
Upgrade to Web Agent 220.127.116.11 (which includes an updated expat library version) or use Agents 5.x which is not affected because it does not use this library.
|Product||AM/OpenAM Web Agents|
|Affected versions||4.1.x, 4.2.0, 18.104.22.168, 22.214.171.124, 5.0.x, 5.5.x|
|Fixed versions||126.96.36.199, 188.8.131.52|
|Component||Nginx Web Agent|
The Nginx Web Agent does not obey client body size max directive of chunk encoded data. Apache and IIS agents are not affected.
Agents 4.x only: Don't use Post Data Preservation.
Update/upgrade to a fixed version.
The following table tracks changes to the security advisory:
|September 4, 2019||Initial release|