OpenAM Security Advisory #201403

Security vulnerabilities have been discovered in OpenAM components including the Core Server and Distributed Authentication Server (DAS).  These issues are present in versions of OpenAM including 11.0.1, 11.0.0, 10.x, 9.x, and possibly previous versions.

This advisory provides guidance on how to secure your deployments. Workarounds or patches are available for all of the issues, which are also included in the 11.0.2 release.

The maximum severity of issues in this advisory is High.Deployers should take immediate steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation for customers is to upgrade to OpenAM 11.0.2. Alternatively, patch bundles are available for the 11.0.1 and 10.0.2 versions.

Issue #201403-01: Insecure Direct Object Reference

Product: OpenAM
Affected versions: 9.5.0-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.1
Fixed versions: 11.0.2
Component: Core Server, Server Only, DAS
Severity: High

It is possible to retrieve files from the OpenAM application WAR without authentication.

Workaround:

Configure the web container (or firewall) to reject incoming requests made against /<deployment URI>/cdcservlet that have the loginURI parameter present.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201403-02: Cross site scripting vulnerabilities

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.1
Fixed versions: 11.0.2
Component: see below (in parentheses)
Severity: High

Certain endpoints in OpenAM are vulnerable to cross-site scripting (XSS) attacks which could lead to session hijacking or phishing.

As part of an automated scan it has been detected that the following endpoints are vulnerable to cross-site scripting attacks:

  • /<deployment URI>/idpsaehandler (Server-only, Core Server)
  • /<deployment URI>/saml2/jsp/SA_IDP.jsp (Server-only, Core Server)
  • /<deployment URI>/UI/Login (Server-only, Core Server, DAS)

Workaround:

Protect the listed endpoints with the container (for example using the mod_security Apache module) or filter external requests until a patch is deployed.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201403-03: Denial of Service & information leakage

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.1, 10.1.0-Xpress, 11.0.0-11.0.1
Fixed versions: 11.0.2
Component: Core Server, Server Only
Severity: Medium

The legacy password reset UI allows construction of invalid queries that could result in expensive search operations leading to possible denial of service or information leakage.

Workarounds:

Disable the legacy password reset feature at Access Control -> realm -> Services -> Password Reset -> Password Reset option or by running the following ssoadm command:

$ openam/bin/ssoadm set-realm-svc-attrs -e realm -s iPlanetAMPasswordResetService -u amadmin -f .pass -a iplanet-am-password-reset-enabled=false

Note: The legacy password reset is disabled by default.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201403-04: Timing vulnerability in JWT implementation

Product: OpenAM
Affected versions: 11.0.0-11.0.1
Fixed versions: 11.0.2
Component: Core Server, Server Only
Severity: Medium

When OpenAM is being used as an OpenID Connect Authorization Server, it is possible to perform a timing attack to construct id_tokens with a signature that is considered valid.

Resolution:

Upgrade the json-web-token library in the OpenAM WAR file under WEB-INF/lib folder to the 2.0.3 version.

©2020 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?