Security Advisory

OpenIDM Security Advisory #201702

Last updated Jul 9, 2018

Security vulnerabilities have been discovered in OpenIDM components including the Core Server, Self-Service UI and Admin UI. These issues are present in versions of OpenIDM including 4.0.0 and 4.5.0.


1 reader recommends this article

March 28, 2017

Security vulnerabilities have been discovered in OpenIDM components including the Info Service, Self-Service UI and Admin UI. These issues are present in versions of OpenIDM including 4.0.0 and 4.5.0.

This advisory provides guidance on how to ensure your deployments can be secured. Workarounds or patches are available for all of the issues.

The maximum severity of issues in this advisory is Medium. Deployers should take immediate steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation is to upgrade to deploy the relevant patches. Patch bundles are available for the following versions:

  • 4.0.0
  • 4.5.0

Customers can obtain these patch bundles from BackStage.

Issue #201702-01: Information Leakage

Product OpenIDM
Affected versions 4.0.0
Fixed versions 4.5.0
Component Info Service
Severity Medium

Description:

The OpenIDM info endpoint may leak sensitive information under certain circumstances.

Workaround:

Modify the OpenIDM bin/defaults/script/info/login.js script and change the following at line 28:

        return context.security;

to the following:

        return {
            _id: "login",
            authorization: context.security.authorization,
            authenticationId: context.security.authenticationId
        };

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201702-02: Cross Site Scripting (XSS)

Product OpenIDM
Affected versions 4.0.0, 4.5.0
Fixed versions  
Component Admin UI
Severity Medium

Description:

OpenIDM is vulnerable to both persistent and reflected cross-site scripting (XSS) attacks within the Admin UI, which could lead to session hijacking or phishing.

Workaround:

No workaround available.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Acknowledgements

Oliveira Lima of Stone Labs.



Copyright and TrademarksCopyright © 2018 ForgeRock, all rights reserved.
Loading...