A security vulnerability have been discovered in the OpenAM Core Server. This advisory provides guidance on how to ensure your deployments can be secured.
The severity of the issue in this advisory is Critical. Deployers should take immediate steps as outlined in this advisory and apply the patch at the earliest opportunity.
Patch bundles are available through Backstage for the following versions:
Issue #201404-01: Denial of Service vulnerability – CVE-2014-7246
Product: OpenAM
Affected versions: 9.5.3-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.2
Fixed versions: n/a
Component: Core Server, Server Only
Severity: Critical
JIRA ID: OPENAM-4794
Description:
In environments where more than one OpenAM server has been configured, it is possible that an authenticated attacker can construct and send a single request that triggers an infinite loop, occupying one or more instances in the deployment until the affected instances are restarted.
Workaround:
No workaround available.
Resolution:
Deploy the relevant patch bundle.
Comments are closed.
When is patch(11.0.0) released?