Security vulnerabilities have been discovered in a third party library used by OpenAM Web Policy Agents. These issues are present in versions of the OpenAM Web Policy Agents including 3.3.1, 3.3.0 and 3.0.x.
This advisory provides guidance on how to ensure your deployments can be secured.
Fixes are available.
The severity of this issue is Critical. Deployers should take immediate steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.
The recommendation is to upgrade to OpenAM Web Policy Agents 3.3.3.
Issue #201402-01: NSS and NSPR security, bug fix, and enhancement update
Product: OpenAM Web Policy Agents
Affected versions: 3.0-3.0.5, 3.1.0-Xpress, 3.3.0, 3.3.1
Fixed versions: 3.3.3
Component: Web Policy Agents
Severity: Critical
JIRA ID: OPENAM-4254
Description:
OpenAM Web Policy Agents use Network Security Services (NSS), a set of libraries designed to support the cross-platform development of security-enabled client and server applications, and Netscape Portable Runtime (NSPR), which provides platform independence for non-GUI operating system facilities.
Multiple issues have been found with older versions of the these libraries, for more details please read the NSS release notesor query the CVE database for NSPR vulnerabilities.
New versions of OpenAM Web Policy Agents have been built using updated versions of the libraries.
Resolution:
Download (https://backstage.forgerock.com/#!/downloads/enterprise/OpenAM) and deploy OpenAM Web Policy Agents 3.3.3.