OpenAM Security Advisory #201404

A security vulnerability have been discovered in the OpenAM Core Server. This advisory provides guidance on how to ensure your deployments can be secured.

The severity of the issue in this advisory is Critical.  Deployers should take immediate steps as outlined in this advisory and apply the patch at the earliest opportunity.

Patch bundles are available through Backstage for the following versions:

Issue #201404-01: Denial of Service vulnerability – CVE-2014-7246

Product: OpenAM
Affected versions: 9.5.3-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.2
Fixed versions: n/a
Component: Core Server, Server Only
Severity: Critical
JIRA ID: OPENAM-4794

Description:

In environments where more than one OpenAM server has been configured, it is possible that an authenticated attacker can construct and send a single request that triggers an infinite loop, occupying one or more instances in the deployment until the affected instances are restarted.

Workaround:

No workaround available.

Resolution:

Deploy the relevant patch bundle.

1 Comment

Comments are closed.

  1. kurogi 5 years ago

    When is patch(11.0.0) released?

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?