OpenAM security advisory #201204

A number of security vulnerabilities have been discovered in OpenAM. These issues are present in versions of OpenAM including 10.0.0, 9.x and also previous versions released under alternate names, such as OpenSSO.

For OpenAM 10.0.0:

  • One of the issues described in this advisory is present in OpenAM 10.0.0. OpenAM 10.0.1 will be released shortly to address this.

For OpenAM 9.x and previous releases:

  • All the issues described in this advisory are present in OpenAM 9.5.4 and previous releases. OpenAM 9.5.5 has been released to address these issues in the 9.5.x branch.
  • For customers running OpenAM 9.5.4 or older, workarounds are available.

NOTE: These problems are not present in the DAUI (Distributed Authentication User Interface, aka DAS), therefore if the only end-user access is via a DAUI/DAS you will not be vulnerable to these specific external attacks.

These issues are rated as Critical. Where security precautions have been taken, such as not running OpenAM as the root user (on Unix-like OSs), or applied the Security Best Practices, risk is limited but should still be considered a serious issue for immediate attention.

Deployers should take immediate steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

Issue #201204-01: Insecure Direct Object Reference on console UI

Product: OpenAM
Version: 9.5.4 and previous
Component: OpenAM Core Server
Severity: Critical
JIRA ID OPENAM-1052

Technical details and mitigation

By sending a specially crafted request an attacker may be able to retrieve contents from the local filesystem and/or expose information about the internal infrastructure.

Vulnerable endpoint

/openam/admin/proxy.jsp

Workaround

Remove the admin/proxy.jsp file from the deployment or the WAR.

Resolution

Update to 9.5.5 release or OpenAM 10.0.0.

#201204-02: Unauthorized access to console pages

Product: OpenAM
Version: 10.0.0, 9.5.4 and previous
Component: OpenAM Core Server
Severity: Critical
JIRA ID OPENAM-1174

Certain pages under the OpenAM console can be accessed by unprivileged users. This means that a non-privileged, but authenticated user can access administration pages and in certain situations even perform changes in the configuration.

Workaround

UpdateamAccessControl.xml according to your version, for OpenAM 10.0.0 and for 9.5.x deployments. Subscription customers can contact ForgeRock for assistance.

Resolution

Update to OpenAM 9.5.5 or 10.0.1 when available or upgrade to OpenAM 10.0.0. In case of using 10.0.0 it is necessary to set the console.privileged.users property (A | separated list of users’ Universal IDs, such asconsole.privileged.users=uid=demo,ou=user,dc=openam,dc=java,dc=net|uid=demo2,ou=user,dc=openam,dc=java,dc=net). Subscription customers can contact ForgeRock for direct assistance.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?