A security vulnerability have been discovered in the OpenAM Core Server. This advisory provides guidance on how to ensure your deployments can be secured.
The severity of the issue in this advisory is Critical. Deployers should take immediate steps as outlined in this advisory and apply the patch at the earliest opportunity.
Patch bundles are available through Backstage for the following versions:
Issue #201404-01: Denial of Service vulnerability – CVE-2014-7246
Affected versions: 9.5.3-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.2
Fixed versions: n/a
Component: Core Server, Server Only
JIRA ID: OPENAM-4794
In environments where more than one OpenAM server has been configured, it is possible that an authenticated attacker can construct and send a single request that triggers an infinite loop, occupying one or more instances in the deployment until the affected instances are restarted.
No workaround available.
Deploy the relevant patch bundle.