Security vulnerabilities have been discovered in the OpenAM Web Policy Agents and Java EE Policy Agents. These issues are present in versions of the Web Policy Agents up to and including version 3.3.3 and Java EE Agents 3.3.0.
This advisory provides guidance on how to ensure your deployments can be secured. Fixes for the vulnerabilities are available in the latest releases.
The maximum severity of issues in this advisory is Critical. Deployers should take immediate steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.
The recommendation is to upgrade to OpenAM Web Policy Agents 3.3.4 and OpenAM Java EE Policy Agents 3.5.0.
Issue #201501-01: Authorization bypass via path traversal
Product: OpenAM Web Policy Agents
Affected versions: 3.0.1-3.3.3
Fixed versions: 3.3.4
Component: Web Policy Agents
Severity: Critical
JIRA ID: OPENAM-4971
It is possible to gain unauthorized access to agent protected resources if any of the following circumstances holds:
- There is at least one not enforced URL configured with a multi level wildcard (e.g. /css/* or /*.css)
- Certain endpoints are protected with a strong policy and the attacker has access to a less protected resource
Workaround:
- If not enforced URLs are in use, try to ensure that the usage of multi level wildcard is limited, and use file extension suffixes. For instance, the not enforced URI of /*.css restricts the exploitable list of resources to endpoints that end with .css.
- Configure network components (load balancers, firewalls, etc) to reject incoming requests that have “../” URI path segments.
Resolution:
Download (https://backstage.forgerock.com/#!/downloads/OpenAM) and deploy Web Policy Agents 3.3.4
Issue #201501-02: Authorization bypass via path traversal
Product: OpenAM Java EE Policy Agents
Affected versions: 3.0.1-3.3.0
Fixed versions: 3.5.0
Component: Java EE Policy Agents
Severity: Critical
JIRA ID: OPENAM-4971
It is possible to gain unauthorized access to agent protected resources if any of the following circumstances holds:
- There is at least one not enforced URL configured with a multi level wildcard (e.g. /css/* or /*.css)
- Certain endpoints are protected with a strong policy and the attacker has access to a less protected resource
Workaround:
- If not enforced URLs are in use, try to ensure that the usage of multi level wildcard is limited, and use file extension suffixes. The not enforced URI of /*.css restricts the exploitable list of resources to endpoints that end with .css.
- Configure network components (load balancers, firewalls, etc) to reject incoming requests that have “../” URI path segments.
Resolution:
Download (https://backstage.forgerock.com/#!/downloads/OpenAM) and deploy Java EE Policy Agents 3.5.0
Issue #201501-03: libxml2 security update
Product: OpenAM Web Policy Agents
Affected versions: 3.0.1-3.3.3
Fixed versions: 3.3.4
Component: Web Policy Agents
Severity: High or Critical (Solaris x86 agent builds)
JIRA ID: OPENAM-5412
OpenAM Web Policy Agents uses libxml2 for assembling and parsing XML documents needed for its communication with an OpenAM server.
Multiple issues have been found with older versions of the these libraries, for more details please read the libxml2 release notes or query the CVE database for libxml2 vulnerabilities.
New versions of OpenAM Web Policy Agents have been built using updated versions of the libraries.
Resolution:
Download (https://backstage.forgerock.com/#!/downloads/OpenAM) and deploy Web Policy Agents 3.3.4.
Issue #201501-04: NSS/NSPR library security update
Product: OpenAM Web Policy Agents
Affected versions: 3.3.3
Fixed versions: 3.3.4
Component: Web Policy Agents
Severity: Medium
OpenAM Web Policy Agents use Network Security Services (NSS), a set of libraries designed to support the cross-platform development of security-enabled client and server applications.
A security issue has been found with the NSS library version used within the 3.3.3 agent release, for more details please read the NSS release notes.
New versions of OpenAM Web Policy Agents have been built using updated versions of NSS and NSPR.
Resolution:
Download (https://backstage.forgerock.com/#!/downloads/OpenAM) and deploy Web Policy Agents 3.3.4.
Issue #201501-05: Modification of Assumed-Immutable Data
Product: OpenAM Web Policy Agents
Affected versions: 3.0.1-3.3.3
Fixed versions: 3.3.4
Component: Web Policy Agents
Severity: Medium
When the “Fetch Attributes for Not Enforced URLs” feature is enabled it is possible for unauthenticated users to inject HTTP headers.
Resolution:
Download (https://backstage.forgerock.com/#!/downloads/OpenAM) and deploy Web Policy Agents 3.3.4.