OpenAM Security Advisory #201502

Security vulnerabilities have been discovered in OpenAM components including the Core Server. These issues are present in versions of OpenAM including 11.0.x, 10.1.0-Xpress, 10.0.x, 9.x, and possibly previous versions.

This advisory provides guidance on how to ensure your deployments can be secured.  Workarounds or patches are available for all of the issues, which are also included in the 12.0.0 release.

The maximum severity of issues in this advisory is Critical.  Deployers should take immediate steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation is to upgrade to OpenAM 12.0.0. Alternatively, patch bundles are available for the following versions:

  • 10.0.2
  • 11.0.2

Customers can obtain these patch bundles from BackStage.

Community members without a current subscription can request patches for Critical issues by contacting info@forgerock.com.

Issue #201502-01: Authorization bypass via path traversal

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.2
Fixed versions: 12.0.0
Component: Core Server, Server Only
Severity: Critical
JIRA ID: OPENAM-4971

It is possible to gain unauthorized access to policy protected resources if multi level wildcards (“*”) are being used within policies and certain endpoints are protected with a strong policy and the attacker has access to a less protected resource.

Workaround:

No workaround available.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201502-02: XML Signature Wrapping in SAML 1.x

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.2
Fixed versions: 12.0.0
Component: Core Server, Server Only
Severity: High or Critical (if OpenAM acts as a Relying Party)
JIRA ID: OPENAM-3634

It is possible for attackers to construct SAML 1.x protocol messages with arbitrary content that will be considered valid by OpenAM’s XML Signature verification logic. Note that this mainly affects deployments where OpenAM acts as a SAML 1.x Relying Party.

Workaround:

No workaround available.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201502-03: Authentication bypass in WS-Federation

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.2
Fixed versions: 12.0.0
Component: Core Server, Server Only
Severity: High 

When OpenAM acts as a WS-Federation Identity Provider and more than one realm has been configured it is possible to obtain access to Relying Parties that have been configured in a different realm than the current session’s realm.

Workaround:

No workaround available.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201502-04: Denial of Service

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.2
Fixed versions: 12.0.0
Component: Core Server, Server Only
Severity: High 

It is possible to cause a denial of service by accessing a specific OpenAM endpoint.

Workaround:

Block access to the following URI:

/<deployment URI>/configurator

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201502-05: Authorization bypass in the REST API

Product: OpenAM
Affected versions: 11.0.0-11.0.2
Fixed versions: 12.0.0
Component: Core Server, Server Only
Severity: High 

When self registration is enabled it is possible to use the sent out tokenId and confirmationId to register end-users in different realms than originally intended.

Workaround:

Disable self registration until a patch can be deployed.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201502-06: Unauthorized access

Product: OpenAM
Affected versions: 11.0.0-11.0.2
Fixed versions: 12.0.0
Component: Core Server, Server Only
Severity: High 

A bug in the policy evaluation framework makes it possible for an authenticated user to gain unauthorized access to certain resources regardless of the policy evaluation mode (self/subtree).

The issue may occur if there is a policy rule defined in the format of http*://example.com:*/index.html. In this case the last wildcard may match the URI as well, not just the port number.

Workaround:

Reconstruct the policies so that wildcards aren’t used in place of the port number.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201502-07: Cross Site Scripting

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.2
Fixed versions: 12.0.0
Component: Core Server, Server Only
Severity: High 

OpenAM is vulnerable to cross-site scripting (XSS) attacks which could lead to session hijacking or phishing.

As part of an automated scan it has been detected that the following endpoints are vulnerable against cross-site scripting and/or open redirect attacks:

Affecting 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress and 11.0.0-11.0.2:

  • /openam/WSFederationServlet (Core Server, Server Only)
  • /openam/task/CreateRemoteIDP (Core Server)
  • /openam/task/CreateRemoteSP (Core Server)
  • /openam/federation/ImportEntity (Core Server)
  • /openam/UI/Login (Core Server, Server Only, DAS)
  • /openam/console/ajax/AjaxProxy.jsp (Core Server)

Workaround:

Protect the listed endpoints with the container (for example using the mod_security Apache module) or filter external requests until a patch is deployed.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201502-08: Information leakage

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.2
Fixed versions: 12.0.0
Component: Core Server, Server Only
Severity: Medium 

It is possible to obtain information about the deployment by sending well crafted requests to OpenAM.

Workaround:

Block access to the following URI:

  • /openam/config/*

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201502-09: Insecure password storage

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.2
Fixed versions: 12.0.0
Component: Core Server, Server Only
Severity: Medium 

It has been discovered that the following passwords were stored in plain text in the configuration:

  • com.sun.identity.crl.cache.directory.password
  • org.forgerock.services.cts.store.password

Workaround:

No workaround available

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle. It is recommended to also change the password for the affected accounts.

Issue #201502-10: Open Redirect

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.2
Fixed versions: 12.0.0
Component: Core Server, Server Only
Severity: Medium 

Due to a bug in the goto URL validation subsystem it was possible to perform Open Redirect attacks by sending the end-users to specifically constructed URLs that were considered valid by the goto URL validator.

Workaround:

Avoid the usage of wildcard characters in the scheme, host and port parts of the valid resources.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201502-11: Login CSRF

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.2
Fixed versions: 12.0.0
Component: Core Server, Server Only, DAS
Severity: Medium 

It is possible to perform login CSRF attacks using the built-in authentication endpoints.

Workaround:

No workaround.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle. The fix has introduced two new settings under Access Control – realm – Authentication – All Core Settings:

  • openam.auth.zero.page.login.referer.whitelist: The list of valid Referer header values
  • openam.auth.zero.page.login.allow.null.referer: Whether requests without Referer header should be accepted by OpenAM

Issue #201502-12: Login CSRF in OAuth2 authentication module

Product: OpenAM
Affected versions: 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.2
Fixed versions: 12.0.0
Component: Core Server, Server Only
Severity: Medium 

The OAuth2 authentication module is vulnerable to Login CSRF attacks.

Workaround:

No workaround available.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201502-13: Business Logic Vulnerability

Product: OpenAM
Affected versions: 11.0.0-11.0.2
Fixed versions: 12.0.0
Component: Core Server, Server Only
Severity: Medium 

If more than one realm is configured in OpenAM, it is possible for an end-user in one realm to access an existing OAuth2 access token from a different realm’s end-user who shares the same username.

Workaround:

Block access to the following URI:

  • frrest/oauth2/token

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201502-14: Business Logic Vulnerability

Product: OpenAM
Affected versions: 11.0.0-11.0.2
Fixed versions: 12.0.0
Component: Core Server, Server Only
Severity: Low 

It is possible to perform self registration with existing tokenId and confirmationId values after self registration has been disabled (as long as the tokens remain valid).

Workaround:

No workaround available.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?