OpenAM Security Advisory #201402

Security vulnerabilities have been discovered in a third party library used by OpenAM Web Policy Agents. These issues are present in versions of the OpenAM Web Policy Agents including 3.3.1, 3.3.0 and 3.0.x.

This advisory provides guidance on how to ensure your deployments can be secured.

Fixes are available.

The severity of this issue is Critical.  Deployers should take immediate steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation is to upgrade to OpenAM Web Policy Agents 3.3.3.

Issue #201402-01: NSS and NSPR security, bug fix, and enhancement update

Product: OpenAM Web Policy Agents
Affected versions: 3.0-3.0.5, 3.1.0-Xpress, 3.3.0, 3.3.1
Fixed versions: 3.3.3
Component: Web Policy Agents
Severity: Critical
JIRA ID: OPENAM-4254

Description:

OpenAM Web Policy Agents use Network Security Services (NSS), a set of libraries designed to support the cross-platform development of security-enabled client and server applications, and Netscape Portable Runtime (NSPR), which provides platform independence for non-GUI operating system facilities.

Multiple issues have been found with older versions of the these libraries, for more details please read the NSS release notesor query the CVE database for NSPR vulnerabilities.

New versions of OpenAM Web Policy Agents have been built using updated versions of the libraries.

Resolution:

Download (https://backstage.forgerock.com/#!/downloads/enterprise/OpenAM) and deploy OpenAM Web Policy Agents 3.3.3.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?