Security vulnerabilities have been discovered in OpenAM components. These issues may be present in versions of OpenAM including 13.0.0, 12.0.x, 11.0.x, 10.1.0-Xpress, 10.0.x, 9.x, and possibly previous versions.
This advisory provides guidance on how to ensure your deployments can be secured. Workarounds or patches are available for all of the issues.
The maximum severity of issues in this advisory is Critical. Deployers should take steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.
The recommendation is to deploy the relevant patches. Patch bundles are available for the following versions (in accordance with ForgeRock’s Maintenance and Patch availability policy):
- 11.0.3
- 12.0.1
- 12.0.2
- 13.0.0
Customers can obtain these patch bundles from BackStage.
Issue #201604-01: User Impersonation via OAuth2 access tokens
Product: OpenAM
Affected versions: 11.0.0-11.0.3, 12.0.1-12.0.2, 13.0.0
Fixed versions: 12.0.3
Component: Core Server, Server Only
Severity: Critical
A specific type of request to the /openam/oauth2/access_token endpoint can result in obtaining OAuth2 access token on behalf of any user in the current realm.
Workaround:
Ensure that com.sun.identity.saml.checkcert advanced server property is set to on (default) so that basic certificate validation is being carried out. Additionally, you must verify that the OpenAM keystore does not contain expired and/or untrusted certificates.
If unsure, block all access to the /openam/oauth2/access_token endpoint.
Resolution:
Deploy the relevant patch bundle. Note that as part of the resolution several additional checks have been implemented for the SAML2 OAuth2 grant. After installing a patch you will need to perform the following additional steps:
- The issuer of the assertion must be configured as a remote IdP
- The audience of the assertion must be configured as a hosted SP
- The hosted SP and the remote IdP must be in the same Circle Of Trust
- The assertion parameter value MUST be Base64url encoded
Issue #201604-02: Open Redirect
Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.2, 13.0.0
Fixed versions: 12.0.3
Component: Core Server, Server Only
Severity: High
The following endpoint does not correctly validate redirect URLs allowing an attacker to redirect an end-user to a site they control:
- /openam/idm/EndUser
Workaround:
Block all access to the /openam/idm/EndUser endpoint
Resolution:
Deploy the relevant patch bundle and ensure that at least one whitelist URL is defined for the redirection validation to be applied.
Issue #201604-03: Cross Site Scripting
Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.2, 13.0.0
Fixed versions: 12.0.3
Component: Core Server, Server Only, DAS
Severity: High
OpenAM is vulnerable to cross-site scripting (XSS) attacks which could lead to session hijacking or phishing.
The following endpoint was found vulnerable:
- /openam/cdcservlet
Workaround:
Block all access to the /openam/cdcservlet endpoint.
Resolution:
Deploy the relevant patch bundle.
Issue #201604-04: Insufficient Authorization
Product: OpenAM
Affected versions: 11.0.0-11.0.3, 12.0.0-12.0.2, 13.0.0
Fixed versions: 12.0.3
Component: Core Server, Server Only
Severity: High
Due to insufficient authorization checks it is possible to modify arbitrary user attributes for a personal account when using the /json/users endpoint.
Workaround:
Disable the forgotten password feature in all realms:
- Disable Forgot Password for Users under Legacy User Self Service service (13.0.0)
- Disable Forgot Password for Users under User Self Service service (12.0.x)
- Disable Forgot Password for Users under REST Security service (11.0.x)
Resolution:
Deploy the relevant patch bundle.
Issue #201604-05: Information Leakage via Account Lockout
Product: OpenAM
Affected versions: 13.0.0 (and versions with #201601 security patch applied)
Fixed versions: 12.0.3
Component: Core Server, Server Only
Severity: Medium
OpenAM can leak information about password correctness even when OpenAM’s Account Lockout feature is enabled, allowing brute-force attackers to guess passwords for end-users.
Workaround:
Disable Account Lockout in OpenAM, and utilize the underlying Data Store’s account locking capabilities.
Resolution:
Deploy the relevant patch bundle.
Issue #201604-06: Information Leakage
Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.2, 13.0.0
Fixed versions: 12.0.3
Component: Core Server, Server Only
Severity: Medium
OpenAM can leak details about the home directory of the user running the OpenAM container.
Workaround:
Remove the /openam/nowritewarning.jsp file from the OpenAM WAR file.
Resolution:
Deploy the relevant patch bundle and delete the nowritewarning.jsp file from the OpenAM deployment.