Security Advisory

AM/OpenAM Web Agents Security Advisory #201904

Last updated Sep 4, 2019

Security vulnerabilities have been discovered in AM/OpenAM Web agents.


September 4, 2019

2 security vulnerabilities have been discovered in AM/OpenAM Web agents. 

This advisory provides guidance on how to ensure your deployments can be secured. A fix for the vulnerabilities is available in the latest releases for Web Agents 4 and 5 respectively. 

The maximum severity of issues in this advisory is High. Deployers should take steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation is to upgrade to Web Agents 5.6.1.1 or Web Agents 4.2.1.2.

Customers can obtain the Agents fixed versions from BackStage.

Issue #201904-01

Product OpenAM Web Agents
Affected versions 4.0.x, 4.1.x, 4.2.0, 4.2.1.0, 4.2.1.1
Fixed versions 4.2.1.2
Component Web Agent
Severity High

Description:

In libexpat in Expat before 2.2.7, XML input (including XML names that contain a large number of colons) could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).

https://www.cvedetails.com/cve/CVE-2018-20843/ 

Workaround:

N/A

Resolution:

Upgrade to Web Agent 4.2.1.2 (which includes an updated expat library version) or use Agents 5.x which is not affected because it does not use this library.

Issue #201904-02

Product AM/OpenAM Web Agents
Affected versions 4.1.x, 4.2.0, 4.2.1.0, 4.2.1.1, 5.0.x, 5.5.x
Fixed versions 4.2.1.2, 5.6.0.0
Component Nginx Web Agent 
Severity High

Description:

The Nginx Web Agent does not obey client body size max directive of chunk encoded data. Apache and IIS agents are not affected.

Workaround :

Agents 4.x only: Don't use Post Data Preservation.

Resolution:

Update/upgrade to a fixed version.

Change Log

The following table tracks changes to the security advisory:

Date  Description
September 4, 2019 Initial release


Copyright and TrademarksCopyright © 2019 ForgeRock, all rights reserved.
Loading...