OpenAM Security Advisory #201501

Security vulnerabilities have been discovered in the OpenAM Web Policy Agents and Java EE Policy Agents. These issues are present in versions of the Web Policy Agents up to and including version 3.3.3 and Java EE Agents 3.3.0.

This advisory provides guidance on how to ensure your deployments can be secured. Fixes for the vulnerabilities are available in the latest releases.

The maximum severity of issues in this advisory is Critical. Deployers should take immediate steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation is to upgrade to OpenAM Web Policy Agents 3.3.4 and OpenAM Java EE Policy Agents 3.5.0.

Issue #201501-01: Authorization bypass via path traversal

Product: OpenAM Web Policy Agents
Affected versions: 3.0.1-3.3.3
Fixed versions: 3.3.4
Component: Web Policy Agents
Severity: Critical
JIRA ID: OPENAM-4971

It is possible to gain unauthorized access to agent protected resources if any of the following circumstances holds:

  • There is at least one not enforced URL configured with a multi level wildcard (e.g. /css/* or /*.css)
  • Certain endpoints are protected with a strong policy and the attacker has access to a less protected resource 

Workaround:

  1. If not enforced URLs are in use, try to ensure that the usage of multi level wildcard is limited, and use file extension suffixes. For instance, the not enforced URI of /*.css restricts the exploitable list of resources to endpoints that end with .css.
  2. Configure network components (load balancers, firewalls, etc) to reject incoming requests that have “../” URI path segments.

Resolution:

Download (https://backstage.forgerock.com/#!/downloads/OpenAM) and deploy Web Policy Agents 3.3.4

Issue #201501-02: Authorization bypass via path traversal

Product: OpenAM Java EE Policy Agents
Affected versions: 3.0.1-3.3.0
Fixed versions: 3.5.0
Component: Java EE Policy Agents
Severity: Critical
JIRA ID: OPENAM-4971

It is possible to gain unauthorized access to agent protected resources if any of the following circumstances holds:

  • There is at least one not enforced URL configured with a multi level wildcard (e.g. /css/* or /*.css)
  • Certain endpoints are protected with a strong policy and the attacker has access to a less protected resource

Workaround:

  1. If not enforced URLs are in use, try to ensure that the usage of multi level wildcard is limited, and use file extension suffixes. The not enforced URI of /*.css restricts the exploitable list of resources to endpoints that end with .css.
  2. Configure network components (load balancers, firewalls, etc) to reject incoming requests that have “../” URI path segments.

Resolution:

Download (https://backstage.forgerock.com/#!/downloads/OpenAM) and deploy Java EE Policy Agents 3.5.0

Issue #201501-03: libxml2 security update

Product: OpenAM Web Policy Agents
Affected versions: 3.0.1-3.3.3
Fixed versions: 3.3.4
Component: Web Policy Agents
Severity: High or Critical (Solaris x86 agent builds)
JIRA ID: OPENAM-5412

OpenAM Web Policy Agents uses libxml2 for assembling and parsing XML documents needed for its communication with an OpenAM server.

Multiple issues have been found with older versions of the these libraries, for more details please read the libxml2 release notes or query the CVE database for libxml2 vulnerabilities.

New versions of OpenAM Web Policy Agents have been built using updated versions of the libraries. 

Resolution:

Download (https://backstage.forgerock.com/#!/downloads/OpenAM) and deploy Web Policy Agents 3.3.4.

Issue #201501-04: NSS/NSPR library security update

Product: OpenAM Web Policy Agents
Affected versions: 3.3.3
Fixed versions: 3.3.4
Component: Web Policy Agents
Severity: Medium 

OpenAM Web Policy Agents use Network Security Services (NSS), a set of libraries designed to support the cross-platform development of security-enabled client and server applications.

A security issue has been found with the NSS library version used within the 3.3.3 agent release, for more details please read the NSS release notes.

New versions of OpenAM Web Policy Agents have been built using updated versions of NSS and NSPR.

Resolution:

Download (https://backstage.forgerock.com/#!/downloads/OpenAM) and deploy Web Policy Agents 3.3.4.

Issue #201501-05: Modification of Assumed-Immutable Data

Product: OpenAM Web Policy Agents
Affected versions: 3.0.1-3.3.3
Fixed versions: 3.3.4
Component: Web Policy Agents
Severity: Medium 

When the “Fetch Attributes for Not Enforced URLs” feature is enabled it is possible for unauthenticated users to inject HTTP headers.

Resolution:

Download (https://backstage.forgerock.com/#!/downloads/OpenAM) and deploy Web Policy Agents 3.3.4.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?