OpenAM security advisory #201401

Security vulnerabilities have been discovered in OpenAM components including the Core Server and Java Fedlet.  These issues are present in versions of OpenAM including 11.0.0, 10.x, 9.x, and possibly previous versions.

This advisory provides guidance on how to ensure your deployments can be secured.  Workarounds or patches are available for all of the issues, which are also included in the 11.0.1 release.

The maximum severity of issues in this advisory is Critical.  Deployers should take immediate steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation is to upgrade to OpenAM 11.0.1. Alternatively, patch bundles are available for the following versions:

  • 9.5.5 (critical fixes only)
  • 10.0.2

Issue #201401-01: Denial of Service vulnerability

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.1, 10.1.0-Xpress, 11.0.0
Fixed versions: 10.0.2, 11.0.1
Component: Core Server, Server Only
Severity: Critical
JIRA ID: OPENAM-3286

In environments where an OpenAM site has been configured, it is possible that an attacker can construct and send a single request that triggers an infinite loop, occupying one or more instances in the site until the affected instances are restarted.

Workaround:

No workaround available.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201401-02: Denial of Service vulnerability

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0
Fixed versions: 11.0.1
Component: Core Server, Server Only
Severity: Critical
JIRA ID: OPENAM-3432

It is possible to cause a denial of service by sending a limited number of requests to specific OpenAM endpoints.

Technical details:

A resource leak makes it possible for an attacker to send a limited number of requests to two specific OpenAM endpoints and occupy the web container’s request processing threads indefinitely.

Workaround:

Block access to the following URIs:

/<deployment URI>/setup/setSetupProgress
/<deployment URI>/upgrade/setUpgradeProgress

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201401-03: SQL Injection vulnerability

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.1, 10.1.0-Xpress
Fixed versions: 10.0.2, 11.0.0
Component: Core Server
Severity: Critical
JIRA ID: OPENAM-2519

When audit logging to database is configured, it is possible to inject arbitrary SQL content into audit log statements.

Workarounds:

Direct audit logs to files until the patch for this issue can be deployed.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201401-04: Possible user impersonation when using OpenAM as an OAuth2 Provider

Product: OpenAM
Affected versions: 10.1.0-Xpress, 11.0.0
Fixed versions: 11.0.1
Component: Core Server
Severity: High

Under given circumstances it is possible for an authenticated user to acquire an access token and a refresh token that belongs to a different user when using the Resource Owner Password Credentials Grant flow.

Workaround:

Block access to the following URI for end-users (in case only Resource Owner Password Credentials Grant flow is being used):

/<deployment URI>/oauth2/access_token

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201401-05: OAuth2 authentication module may authenticate users as admin

Product: OpenAM
Affected versions: 10.0.0-10.0.2, 10.1.0-Xpress
Fixed versions: 11.0.0
Component: Core Server
Severity: High

In case the OAuth2 authentication module is misconfigured, an end user may be granted complete administrative control of the system.

This can happen if the Account Mapper Configuration option is empty and the Map to anonymous user setting is not enabled.

Workaround:

Ensure that the Account Mapper Configuration setting is not empty.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201401-06: XSS and Open Redirect vulnerabilities

Product: OpenAM
Affected versions: various, see below
Fixed versions: 11.0.1
Component: see below (in parentheses)
Severity: High

OpenAM is vulnerable to cross-site scripting (XSS) attacks which could lead to session hijacking or phishing. OpenAM is also vulnerable to Open Redirect attacks, which could lead to phishing.

As part of an automated scan it has been detected that the following endpoints are vulnerable against cross-site scripting and/or open redirect attacks:

Affecting 9-9.5.5, 10.0.0-10.0.1 and 10.1.0-Xpress:

  • /openam/wsfederation/realmSelection.jsp (Server-only, Core Server)
  • /openam/wsfederation/jsp/multi.jsp (Server-only, Core Server)
  • /openam/wsfederation/jsp/logout.jsp (Server-only, Core Server)
  • /openam/validatorRpt.jsp (Server-only, Core Server)
  • /openam/validatorMain.jsp (Server-only, Core Server)
  • /openam/validator.jsp (Server-only, Core Server)
  • /openam/showServerConfig.jsp (Server-only, Core Server)
  • /openam/saml2/jsp/spSingleLogoutRedirect.jsp (Server-only, Core Server, Java Fedlet)
  • /openam/saml2/jsp/spSingleLogoutPOST.jsp (Server-only, Core Server, Java Fedlet)
  • /openam/saml2/jsp/spSingleLogoutInit.jsp (Server-only, Core Server, Java Fedlet)
  • /openam/saml2/jsp/spMNIRequestInit.jsp (Server-only, Core Server)
  • /openam/saml2/jsp/spMNIRedirect.jsp (Server-only, Core Server)
  • /openam/saml2/jsp/spMNIPOST.jsp (Server-only, Core Server)
  • /openam/saml2/jsp/saml2error.jsp (Server-only, Core Server, Java Fedlet)
  • /openam/saml2/jsp/idpSingleLogoutRedirect.jsp (Server-only, Core Server)
  • /openam/saml2/jsp/idpSingleLogoutPOST.jsp (Server-only, Core Server)
  • /openam/saml2/jsp/idpSingleLogoutInit.jsp (Server-only, Core Server)
  • /openam/saml2/jsp/idpMNIRequestInit.jsp (Server-only, Core Server)
  • /openam/saml2/jsp/idpMNIRedirect.jsp (Server-only, Core Server)
  • /openam/saml2/jsp/idpMNIPOST.jsp (Server-only, Core Server)
  • /openam/saml2/jsp/fedletXACMLResp.jsp (Server-only, Core Server, Java Fedlet)
  • /openam/saml2/jsp/fedletXACMLQuery.jsp (Server-only, Core Server, Java Fedlet)
  • /openam/saml2/jsp/default.jsp (Server-only, Core Server, Java Fedlet)
  • /openam/saml2/jsp/SA_SP.jsp (Server-only, Core Server)
  • /openam/saml2/jsp/SA_IDP.jsp (Server-only, Core Server)
  • /openam/proxyidpfinder.jsp (Server-only, Core Server)
  • /openam/oauth2c/OAuthLogout.jsp (Server-only, Core Server)
  • /openam/console/task/CreateFedlet.jsp (Core Server)
  • /openam/console/task/ConfigureSalesForceApps.jsp (Core Server)
  • /openam/console/task/ConfigureGoogleApps.jsp (Core Server)
  • /openam/console/ajax/FileUpload.jsp (Core Server)
  • /openam/config/federation/default/ListOfCOTs.jsp (Server-only, Core Server)
  • /openam/config/federation/default/Federate.jsp (Server-only, Core Server)
  • /openam/config/federation/default/CommonLogin.jsp (Server-only, Core Server)
  • /fedlet/index.jsp (Java Fedlet)
  • /fedlet/header.jspf (Java Fedlet)

Affecting 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0:

  • /openam/idm/EndUser (Core Server)

Affecting 10.1.0-Xpress:

  • /openam/oauth2/authorize (Server-only, Core Server)

Affecting 11.0.0:

  • /openam/oauth2/connect/checkSession (Server-only, Core Server)

Workaround:

Protect the listed endpoints with the container (for example using the mod_security Apache module) or filter external requests until a patch is deployed.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Important: change of SAMLv2 SLO behavior after applying the patch.

OpenAM no longer follows the RelayState without validation if there is no active session. In case you need to follow RelayState even when there is no active session, it is advised to also include the metaAlias in the query string so the RelayState URL validation can be properly performed by OpenAM.

Issue #201401-07: Unauthorized access

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress
Fixed versions: 11.0.0
Component: Core Server
Severity: Medium

A bug in the policy evaluation framework makes it possible for an authenticated user to gain unauthorized access to certain resources regardless of the policy evaluation mode (self/subtree).

This issue may occur if there are two policies defined and the following requirements are met:

  • the policies have different rules, but they can match the same resource
  • only one of the policies has a condition defined

Under these circumstances it is possible to obtain access to the protected resource without fulfilling the defined condition.

Workaround:

Review existing policies and disable access to the affected resources.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201401-08: Unauthorized access

Product: OpenAM
Versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress
Fixed versions: 11.0.0
Component: Core Server
Severity: Low

A bug in the policy evaluation framework makes it possible for an authenticated user to gain unauthorized access to certain resources regardless of the policy evaluation mode (self/subtree).

This issue may occur if there is a policy rule that has a wildcard (*) at the end of the host name, and the rule also restricts access to a given port number. Such a policy rule will be saved in the configuration store without the port restriction, hence it may allow access to other policy agent protected resources running on different port numbers.

Workaround:

Review existing policies and disable access to the affected resources in case there are applications running under the same domain, but on different ports.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle and re-save the affected policies.

Issue #201401-09: OAuth2 provider logs resource owner’s password for invalid credentials

Product: OpenAM
Affected versions: 10.1.0-Xpress
Fixed versions: 11.0.0
Component: Core Server
Severity: Low

When using the Resource Owner Password Credentials Grant flow, invalid credentials are logged on error level in the Authentication debug log.

Workaround:

Turn off debug logging for the Authentication debug instance using Debug.jsp

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?