OpenAM Security Advisory #201505

Security vulnerabilities have been discovered in OpenAM components including the Core Server and Distributed Authentication Server (DAS). These issues are present in versions of OpenAM including 12.0.0, 11.0.x, 10.1.0-Xpress, 10.0.x, 9.x, and possibly previous versions.

This advisory provides guidance on how to ensure your deployments can be secured. Workarounds or patches are available for all of the issues, which are also included in the 12.0.1 maintenance release.

The maximum severity of issues in this advisory is Critical. Deployers should take immediate steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation is to upgrade to OpenAM 12.0.1 or deploy the relevant patches. Patch bundles are available for the following versions:

  • 10.0.2
  • 11.0.3
  • 12.0.0

Customers can obtain these patch bundles from BackStage.
Community members without a current subscription can request patches for Critical issues by contacting info@forgerock.com.

Issue #201505-01: Deserialization of untrusted data

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3 and 12.0.0
Fixed versions: 12.0.1
Component: Core Server, Server Only, Distributed Authentication Service
Severity: Critical
JIRA ID: OPENAM-5925

Using a well crafted request an attacker may be able to perform remote code execution.

Workaround:

None

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201505-02: Authentication bypass in SAMLv2

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3 and 12.0.0
Fixed versions: 12.0.1
Component: Core Server, Server Only
Severity: High

When OpenAM acts as a SAMLv2 Identity Provider and more than one realm has been configured it is possible to obtain access to Service Providers that have been configured in a different realm than the current session’s realm.

Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201505-03: XML injection vulnerability

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3 and 12.0.0
Fixed versions: 12.0.1
Component: Core Server, Server Only
Severity: High

A well crafted XML document can be used to exploit the default high entity expansion limits of the xml parser and cause a denial of service attack for a short interval.

Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle. Once the patch is deployed the number of allowed XML entity expansions can be configured via the -Dorg.forgerock.util.xml.entity.expansion.limit=5000 JVM parameter. The setting defaults to 5000.

Issue #201505-04: A non admin user can import/export XACML policies via ssoadm

Product: OpenAM
Affected versions: 12.0.0
Fixed versions: 12.0.1
Component: ssoadm
Severity: Medium

A user with an account in OpenAM that has access to a configured ssoadm tool can import, export and list XACML policies.

Workaround:

Restrict access to the ssoadm command-line tool to only system administrators.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201505-05: Insecure default passwords

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3 and 12.0.0
Fixed versions: 12.0.1
Component: OpenDJ, DSEE data stores
Severity: Medium

When OpenAM is configured with external OpenDJ or Oracle Directory Server Enterprise Edition (formerly Sun DSEE), or when the “Load Schema when saved” feature is used, the users created will have unsafe passwords.

Workaround:

When using DSEE:

  • Remove the following entries from the directory:
    cn=dsameuser,ou=DSAME Users,ROOT_SUFFIX
    cn=amldapuser,ou=DSAME Users,ROOT_SUFFIX
  • Remove the ACIs targeting above users from the ROOT_SUFFIX entry

When using OpenDJ:

  • Remove the following entries from the directory:
    cn=ldapuser,ou=opensso adminusers,ROOT_SUFFIX
    cn=openssouser,ou=opensso adminusers,ROOT_SUFFIX
  • Remove the ACIs targeting above users from the ROOT_SUFFIX entry

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle and perform the steps listed in the workaround to remove the faulty entries from the affected directories.

1 Comment

Comments are closed.

  1. spikerobinson 3 years ago

    Other (more recent) Critical advisories have a patch for 11.0.2. Is there no patch for 11.0.2 for this advisory #201505?

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?