OpenAM Security Advisory #201503

Security vulnerabilities have been discovered in OpenAM components including the Core Server. These issues are present in versions of OpenAM including 12.0.0, 11.0.x, 10.1.0-Xpress, 10.0.x, 9.x, and possibly previous versions.

This advisory provides guidance on how to ensure your deployments can be secured.  Workarounds or patches are available for all of the issues, which are also included in the 11.0.3 release.

The maximum severity of issues in this advisory is Critical.  Deployers should take immediate steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation is to upgrade to OpenAM 11.0.3 or deploy the relevant patches. Alternatively, patch bundles are available for the following versions:

  • 10.0.2
  • 11.0.2

Customers can obtain these patch bundles from BackStage.

Community members without a current subscription can request patches for Critical issues by contacting info@forgerock.com.

Issue #201503-01: Cross Site Request Forgery

Product: OpenAM
Affected versions: 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.2 and 12.0.0
Fixed versions: 11.0.3
Component: Core Server, Server Only
Severity: Critical
JIRA ID: OPENAM-5492

When “Prompt user for old password” feature is disabled (which is the default value) it is possible for a skilled attacker to change the user’s password without their knowledge.

Workaround:

Enable the “Prompt user for old password” feature if not already enabled: http://docs.forgerock.org/en/openam/11.0.0/reference/#console-administration

http://docs.forgerock.org/en/openam/12.0.0/reference/#console-administration

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201503-02: Cross Site Scripting

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.2, 12.0.0
Fixed versions: 11.0.3
Component: Core Server, Server Only
Severity: High

OpenAM is vulnerable to cross-site scripting (XSS) attacks which could lead to session hijacking or phishing.

It has been detected that the following endpoint is vulnerable to cross-site scripting attacks:

  • /openam/oauth/registerconsumer.jsp (Core Server, Server Only)

Workaround:

Protect the aforementioned endpoint with the container (for example using the mod_security Apache module) or filter external requests until a patch is deployed.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201503-03: Password recorded as plain text during install

Product: OpenAM
Affected versions: 11.0.2, 12.0.0
Fixed versions: 11.0.3
Component: Core Server, Server Only
Severity: Medium

When performing new installations of OpenAM 11.0.2 and 12.0.0 the installation properties are recorded in the install log at the end of the OpenAM installation process to aid diagnostic analysis. In the case of configuring OpenAM to use an external user store, the user data store’s LDAP password will be stored in plain text in the installation log file.

Workaround:

Remove the plain text entry from the install log after installation or delete the install log file.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle before performing a new configuration. If the file was compromised change the password for the user data store as well.

5 Comments

Comments are closed.

  1. Daly 4 years ago

    Hello,

    As this security issue is mentioned critical, we made a request at info@forgerock.com to obtain the patch, the answer was security patches are available just for subscribed users. Could you please confirm so that we could understand your open source policy regarding critical issues patches. Thank you.

    Regards

  2. Daly 4 years ago

    We can however read on your security policy page https://www.forgerock.com/en-us/services/security-policy/ :
    “Community: ForgeRock will make security patches available to the community for all critical security issues that affect binary versions of ForgeRock products that were released under the CDDL and that remain in their service-life window. These critical security patches will be available immediately from the time of publication. In order to obtain the critical security patches, community members must contact ForgeRock directly at info@forgerock.com.”

  3. Peter Major 4 years ago

    I’ve just double checked and the security patches for #201503-01 are available for the community, and you should have been able to obtain the necessary access details through info@forgerock.com. I would suggest to reach out to ForgeRock again, and make sure you mention that you would like to obtain the *critical* security patches.
    Apologies about the inconvenience.

  4. badamczyk 3 years ago

    Hi Peter,
    I have already send 2 emails (one on 31th March 2015, second on 3rd July 2015) to info@forgerock.com and still did not recieve the critical OpenAM patches nor response. It is already 7 month after the advisory.

    Regards

  5. Peter Major 3 years ago

    The current texting of the security policy is that we only provide security patches for CDDL licensed releases, and at the moment 11.0.0 and 12.0.0 is being interpreted (by ForgeRock) as released under the ForgeRock binary licence. This means that security patches are only made available for 10.0.0 version at the moment.
    Hopefully this will change in the future, but until then you will need to port those fixes manually either from trunk or from the 10.0.0 versioned patches.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?