OpenAM Security Advisory #201601

Security vulnerabilities have been discovered in OpenAM components. These issues may be present in versions of OpenAM including 12.0.x, 11.0.x, 10.1.0-Xpress, 10.0.x, 9.x, and possibly previous versions.

This advisory provides guidance on how to ensure your deployments can be secured. Workarounds or patches are available for all of the issues.

The maximum severity of issues in this advisory is Critical. Deployers should take steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation is to deploy the relevant patches. Patch bundles are available for the following versions (in accordance with ForgeRock’s Maintenance and Patch availability policy):

  • 10.0.2
  • 11.0.3
  • 12.0.1
  • 12.0.2

Customers can obtain these patch bundles from BackStage.

Issue #201601-01: Open Redirect

Product: OpenAM
Affected versions: 9.5.5, 10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.2
Fixed versions: 13.0.0
Component: Core Server, Server Only, DAS
Severity: Critical

Due to a bug in the goto URL validation system it was possible to perform Open Redirect attacks by sending the end-users to specially constructed URLs that were considered valid by the goto URL validator.

Workaround:
Enable the XUI, which is not vulnerable to this issue.

Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201601-02: Potential Denial of Service attack in multi-site deployments

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.2
Fixed versions: 13.0.0
Component: Core Server, Server Only
Severity: High

Multi-site deployments of OpenAM which share the same load-balancer are vulnerable to a Denial of Service attack using carefully crafted requests.

Workaround:
Configure load-balancers to only route requests for a single site and not to re-route any requests for a different site.

Resolution:
Deploy the workaround or update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201601-03: Cross Site Scripting

Product: OpenAM
Affected versions: see below
Fixed versions: 13.0.0
Component: see below
Severity: High

OpenAM is vulnerable to cross-site scripting (XSS) attacks which could lead to session hijacking or phishing.
Affecting 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3 and 12.0.0-12.0.2:
/openam/federation/* (Core Server)
/openam/saml2/jsp/exportmetadata.jsp (Core Server, Server Only)
/openam/WSFederationServlet/metaAlias (Core Server, Server Only)

Affecting 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3 and 12.0.0-12.0.2:
/openam/oauth2c/OAuthLogout.jsp (Core Server, Server Only)

Workaround:
Protect the listed endpoints with the container (for example using the mod_security Apache module) or filter external requests until a patch is deployed.

Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201601-04: Open Redirect

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.2
Fixed versions: 13.0.0
Component: Core Server, Server Only
Severity: High

The following obsolete ID-FF federation endpoints did not correctly validate redirect URLs allowing an attacker to redirect an end-user to a site they control:
/openam/consentHandler
/openam/federation

Workaround:
Block access to the listed endpoints with the container (for example using the mod_security Apache module) or filter external requests until a patch is deployed.

Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201601-05: Business Logic Vulnerability

Product: OpenAM
Affected versions: 12.0.0-12.0.2
Fixed versions: 13.0.0
Component: Core Server, Server Only
Severity: High

If more than one realm is configured in OpenAM it is possible for a user in one realm to generate security tokens for a different realm via the REST STS.

Workaround:
Block access to the following URI:
/openam/rest-sts/*

Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201601-06: Business Logic Vulnerability

Product: OpenAM
Affected versions: 11.0.0-11.0.3, 12.0.0-12.0.2
Fixed versions: 13.0.0
Component: Core Server, Server Only
Severity: High

If more than one realm is configured in OpenAM it is possible for an OAuth2 client in one realm to obtain an OAuth2 access_token for a different realm.

Workaround:
Block access to the following URI:
/openam/oauth2/access_token

Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201601-07: Open Email Relay

Product: OpenAM
Affected versions: 11.0.0-11.0.3, 12.0.0-12.0.2
Fixed versions: 13.0.0
Component: Core Server, Server Only
Severity: High

If the self-service interfaces are enabled it is possible for an attacker to send email using the configured email server.

Workaround:
Disable all user self-service interfaces in Configuration > Global > User Self Service and for any realms you have enabled it for in [realm] > Services > User Self Service.

Resolution:
Important Note:
This is a backwards-incompatible change, the forgotPassword and register actions are now utilizing localized messages defined in RestSecurity.properties. To define different subjects and messages per realm, please utilize the new “Localization Bundle” setting in the User Self Service service.
Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201601-08: Previous Administrator Password Still Valid

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.2
Fixed versions: 13.0.0
Component: Core Server, Server Only
Severity: High

After changing the administrator (amAdmin) password it is possible to log in using the old password until the new password has been used once.

Workaround:
After changing the administrator password, log in once using the new password on each server in the deployment or restart all servers.

Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201601-09: Insufficient Authorization

Product: OpenAM
Affected versions: 12.0.0-12.0.2
Fixed versions: 13.0.0
Component: Core Server, Server Only
Severity: High

If the Device ID Match/Save modules are used, it is possible for an attacker to access saved device profiles for another user and use them to spoof that user’s device.

Workaround:
Block access to the following endpoint:
/openam/json/users/*/devices/trusted/
Where * should match any user id.

Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle. If you believe that a user’s device profiles may have been compromised then you should disable Device ID Match modules.

Issue #201601-10: Information Leakage

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.2
Fixed versions: 13.0.0
Component: Core Server, Server Only
Severity: Medium

It is possible to obtain information about which accounts exist on the system by sending carefully crafted requests to the following endpoints:
/openam/json/authenticate
/openam/identity/authenticate
/openam/identity/xml/authenticate
/openam/identity/json/authenticate

Workaround:
Block access to the following endpoints:
/openam/json/authenticate
/openam/identity/authenticate
/openam/identity/xml/authenticate
/openam/identity/json/authenticate

Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201601-11: Open Redirect

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.2
Fixed versions: 13.0.0
Component: Core Server, Server Only, DAS
Severity: Medium

If relative goto URLs are added to the redirect URL whitelist an attacker can use a carefully crafted URL to redirect end-users to a different destination.

Workaround:
Ensure that all whitelisted redirect resources are in absolute format, i.e. they have protocol scheme defined.

Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201601-12: OATH Replay Vulnerability

Product: OpenAM
Affected versions: 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.2
Fixed versions: 13.0.0
Component: Core Server, Server Only
Severity: Medium

If OATH TOTP authentication is enabled an attacker who is able to intercept a TOTP code may be able to replay it within the same TOTP time step.

Workaround:
Disable OATH TOTP authentication or reduce the time step size to mitigate the vulnerability.

Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201601-13: Open Redirect

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.2
Fixed versions: 13.0.0
Component: Core Server, Server Only
Severity: Medium

Using a carefully crafted request an attacker may be able to redirect an end-user to a non-validated redirect URL. The attacker must be able to set cookies in the same domain as OpenAM. The following endpoint is vulnerable:
/openam/cdcservlet

Workaround:
Block access to the following endpoint if you are not using CDSSO:
/openam/cdcservlet

Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle

Issue #201601-14: Content Spoofing Vulnerability

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.2
Fixed versions: 13.0.0
Component: Core Server, Server Only
Severity: Medium

Using a carefully crafted request an attacker can display plain text messages within the content of a valid page.

Workaround:
Block access to the following endpoints:
/openam/validatorFooter.jsp
/openam/validateWait.jsp

Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201601-15: Password Logging

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.2
Fixed versions: 13.0.0
Component: Core Server, Server Only
Severity: Low

If MESSAGE-level debug logging is enabled the SecurID module logs passwords in plain text.

Workaround:
Disable MESSAGE-level debug logging in all production environments.

Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?