OpenAM Community Edition and security advisory #201608

This topic has 6 replies, 3 voices, and was last updated 3 years, 11 months ago by FireBurn.

  • Author
    Posts
  • #18714
     japearson
    Participant

    Hi,

    I was just having a poke around at the OpenAM Community Edition, and looking at the github commit log, it appears as though the latest security advisories for OpenAM 11.0.3 are not included: https://github.com/ForgeRock/openam-community-edition/commits/master?after=3c00cd9146c3e6212372e97bf1f9ff78331bbbde+34

    As I can see the dates jump from 2015 to 2017, skipping 2016, when the latest advisory happened #201608.

    https://backstage.forgerock.com/knowledge/kb/article/a25759331

    Are there any plans to make add the #201608 security patches to OpenAM CE? Or is it basically just the risk you run with the community edition?

    Without the security patches, I think this drastically reduces the value of the community edition.

    • This topic was modified 4 years, 1 month ago by japearson.
    #18716
     Peter Major
    Moderator

    I’m not aware of any plans that would bring the community versions up to date with the latest security advisories.
    I believe the expectation is that the open source community fixes the affected versions.

    #18718
     japearson
    Participant

    Woah, fair enough.

    So I guess that means that the community edition is missing:

    #201601 1 Critical 8 Highs 5 Medium 1 Low
    #201604 1 Critical 3 High 3 Medium
    #201605 2 Critical 3 High 1 Medium 1 Low
    #201608 2 High

    Totalling

    4 Critical
    16 High
    9 Medium
    2 Low

    eesh, that’s a bit nasty. *unstars community edition on github*

    #18719
     japearson
    Participant

    I suppose you’d have to apply all the workarounds instead.

    #18720
     Peter Major
    Moderator

    It’s more like:

    #201601 1 Critical 6 High 5 Medium 1 Low
    #201604 1 Critical 3 High 1 Medium
    #201605 1 Critical 3 High 1 Low
    #201608 1 High

    Totalling 3 Critical 13 High 6 Medium 2 Low

    You should keep the “Affected versions” field in mind.

    #18721
     japearson
    Participant

    That’s true. Still, not amazing. Although all the critical vulnerabilities do have some form of workaround at least.

    #19667
     FireBurn
    Participant

    This is very poor form. I understand if new issues were found in the community edition that it should be up to the community to fix them. These however are known issues and already fixed by Forgerock

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?