Security vulnerabilities have been discovered in a third party library used by OpenAM Web Policy Agents. These issues are present in versions of the OpenAM Web Policy Agents including 3.3.1, 3.3.0 and 3.0.x.
This advisory provides guidance on how to ensure your deployments can be secured.
Fixes are available.
The severity of this issue is Critical. Deployers should take immediate steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.
The recommendation is to upgrade to OpenAM Web Policy Agents 3.3.3.
Issue #201402-01: NSS and NSPR security, bug fix, and enhancement update
Product: OpenAM Web Policy Agents
Affected versions: 3.0-3.0.5, 3.1.0-Xpress, 3.3.0, 3.3.1
Fixed versions: 3.3.3
Component: Web Policy Agents
JIRA ID: OPENAM-4254
OpenAM Web Policy Agents use Network Security Services (NSS), a set of libraries designed to support the cross-platform development of security-enabled client and server applications, and Netscape Portable Runtime (NSPR), which provides platform independence for non-GUI operating system facilities.
New versions of OpenAM Web Policy Agents have been built using updated versions of the libraries.
Download (https://backstage.forgerock.com/#!/downloads/enterprise/OpenAM) and deploy OpenAM Web Policy Agents 3.3.3.