OpenAM Security Advisory #201604

Security vulnerabilities have been discovered in OpenAM components. These issues may be present in versions of OpenAM including 13.0.0, 12.0.x, 11.0.x, 10.1.0-Xpress, 10.0.x, 9.x, and possibly previous versions.

This advisory provides guidance on how to ensure your deployments can be secured. Workarounds or patches are available for all of the issues.

The maximum severity of issues in this advisory is Critical. Deployers should take steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation is to deploy the relevant patches. Patch bundles are available for the following versions (in accordance with ForgeRock’s Maintenance and Patch availability policy):

  • 11.0.3
  • 12.0.1
  • 12.0.2
  • 13.0.0

Customers can obtain these patch bundles from BackStage.

Issue #201604-01: User Impersonation via OAuth2 access tokens

Product: OpenAM
Affected versions: 11.0.0-11.0.3, 12.0.1-12.0.2, 13.0.0
Fixed versions: 12.0.3
Component: Core Server, Server Only
Severity: Critical

A specific type of request to the /openam/oauth2/access_token endpoint can result in obtaining OAuth2 access token on behalf of any user in the current realm.

Workaround:
Ensure that com.sun.identity.saml.checkcert advanced server property is set to on (default) so that basic certificate validation is being carried out. Additionally, you must verify that the OpenAM keystore does not contain expired and/or untrusted certificates.

If unsure, block all access to the /openam/oauth2/access_token endpoint.

Resolution:
Deploy the relevant patch bundle. Note that as part of the resolution several additional checks have been implemented for the SAML2 OAuth2 grant. After installing a patch you will need to perform the following additional steps:

  • The issuer of the assertion must be configured as a remote IdP
  • The audience of the assertion must be configured as a hosted SP
  • The hosted SP and the remote IdP must be in the same Circle Of Trust
  • The assertion parameter value MUST be Base64url encoded

Issue #201604-02: Open Redirect

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.2, 13.0.0
Fixed versions: 12.0.3
Component: Core Server, Server Only
Severity: High

The following endpoint does not correctly validate redirect URLs allowing an attacker to redirect an end-user to a site they control:

  • /openam/idm/EndUser

Workaround:
Block all access to the /openam/idm/EndUser endpoint

Resolution:
Deploy the relevant patch bundle and ensure that at least one whitelist URL is defined for the redirection validation to be applied.

Issue #201604-03: Cross Site Scripting

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.2, 13.0.0
Fixed versions: 12.0.3
Component: Core Server, Server Only, DAS
Severity: High

OpenAM is vulnerable to cross-site scripting (XSS) attacks which could lead to session hijacking or phishing.
The following endpoint was found vulnerable:

  • /openam/cdcservlet

Workaround:
Block all access to the /openam/cdcservlet endpoint.

Resolution:
Deploy the relevant patch bundle.

Issue #201604-04: Insufficient Authorization

Product: OpenAM
Affected versions: 11.0.0-11.0.3, 12.0.0-12.0.2, 13.0.0
Fixed versions: 12.0.3
Component: Core Server, Server Only
Severity: High

Due to insufficient authorization checks it is possible to modify arbitrary user attributes for a personal account when using the /json/users endpoint.

Workaround:
Disable the forgotten password feature in all realms:

  • Disable Forgot Password for Users under Legacy User Self Service service (13.0.0)
  • Disable Forgot Password for Users under User Self Service service (12.0.x)
  • Disable Forgot Password for Users under REST Security service (11.0.x)

Resolution:
Deploy the relevant patch bundle.

Issue #201604-05: Information Leakage via Account Lockout

Product: OpenAM
Affected versions: 13.0.0 (and versions with #201601 security patch applied)
Fixed versions: 12.0.3
Component: Core Server, Server Only
Severity: Medium

OpenAM can leak information about password correctness even when OpenAM’s Account Lockout feature is enabled, allowing brute-force attackers to guess passwords for end-users.

Workaround:
Disable Account Lockout in OpenAM, and utilize the underlying Data Store’s account locking capabilities.

Resolution:
Deploy the relevant patch bundle.

Issue #201604-06: Information Leakage

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.2, 13.0.0
Fixed versions: 12.0.3
Component: Core Server, Server Only
Severity: Medium

OpenAM can leak details about the home directory of the user running the OpenAM container.

Workaround:
Remove the /openam/nowritewarning.jsp file from the OpenAM WAR file.

Resolution:
Deploy the relevant patch bundle and delete the nowritewarning.jsp file from the OpenAM deployment.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?