OpenAM Security Advisory #201605

Security vulnerabilities have been discovered in OpenAM components. These issues may be present in versions of OpenAM including 13.0.x, 12.0.x, 11.0.x, 10.1.0-Xpress, 10.0.x, 9.x, and possibly previous versions.

This advisory provides guidance on how to ensure your deployments can be secured. Workarounds or patches are available for all of the issues.

The maximum severity of issues in this advisory is Critical. Deployers should take steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation is to deploy the relevant patches. Patch bundles are available for the following versions (in accordance with ForgeRock’s Maintenance and Patch availability policy):

  • 11.0.3
  • 12.0.2-12.0.3
  • 13.0.0

Customers can obtain these patch bundles from BackStage.

Issue #201605-01: Credential Forgery

Product: OpenAM
Affected versions: 11.0.0-11.0.3, 12.0.0-12.0.3, 13.0.0
Fixed versions: 13.5.0
Component: Core Server, Server Only
Severity: Critical

The Persistent Cookie authentication module is vulnerable to credential forgery. In some configurations this may allow an attacker unauthorized access to the system as any user.

Workaround:
Disable Persistent Cookie authentication module instances and require manual authentication, or combine the module with a mandatory second factor.

Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201605-02: Insufficient Authorization

Product: OpenAM
Affected versions: 13.0.0
Fixed versions: 13.5.0
Component: Core Server, Server Only
Severity: Critical

Insufficient authorization on a query endpoint allows a non-privileged user to access details of other users on the system.

Workaround:
No workaround available.

Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201605-03: Authentication Bypass

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.3, 13.0.0
Fixed versions: 13.5.0
Component: Core Server, Server Only
Severity: High

In some configurations a user may be able to bypass additional authentication requirements and login with just username and password.

Workaround:
Ensure all authorization mechanisms and policies enforce all chain/module/service/role requirements have been met after authentication, such as by using OpenAM’s “Authenticated by Module Chain”, “Authenticated by Module Instance” or “Authenticated to Realm” environment conditions in conjunction with a policy agent.

Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle and apply the workaround.

Issue #201605-04: Cross-Site Request Forgery (CSRF)

Product: OpenAM
Affected versions: 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.3, 13.0.0
Fixed versions: 13.5.0
Component: Core Server, Server Only
Severity: High

The OAuth2 consent page is vulnerable to a CSRF attack.

Workaround:
No workaround available.

Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle and update any customized authorize.ftl template files based on the patch.

Issue #201605-05: Cross Site Scripting (XSS)

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.3, 13.0.0
Fixed versions: 13.5.0
Component: Core Server, Server Only
Severity: High

OpenAM is vulnerable to cross-site scripting (XSS) attacks which could lead to session hijacking or phishing. The following endpoints are vulnerable:

  • /openam/cdcservlet
  • /openam/SAMLPOSTProfileServlet

Workaround:
Protect the listed endpoints with the container (for example using the mod_security Apache module) or filter external requests until a patch is deployed.

Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201605-06: Credentials appear in CTS access log

Product: OpenAM
Affected versions: 13.0.0
Fixed versions: 13.5.0
Component: Core Server, Server Only
Severity: Medium

OAuth 2 client requests using HTTP Basic authentication may result in the base64-encoded credentials being recorded in the CTS access logs.

Workaround:
Use alternative authentication mechanisms for OAuth2 clients, or protect the OpenDJ access logs for the CTS store.

Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201605-07: Content Spoofing Vulnerability

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.3, 13.0.0
Fixed versions: 13.5.0
Component: Core Server, Server Only
Severity: Low

Using a carefully crafted request an attacker can cause an alternative image and title text to be displayed on an admin console page.

Workaround:
Block access to the following endpoint:

  • /openam/ccversion/Version

Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.

OpenAM Security Advisory #201604

Security vulnerabilities have been discovered in OpenAM components. These issues may be present in versions of OpenAM including 13.0.0, 12.0.x, 11.0.x, 10.1.0-Xpress, 10.0.x, 9.x, and possibly previous versions.

This advisory provides guidance on how to ensure your deployments can be secured. Workarounds or patches are available for all of the issues.

The maximum severity of issues in this advisory is Critical. Deployers should take steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation is to deploy the relevant patches. Patch bundles are available for the following versions (in accordance with ForgeRock’s Maintenance and Patch availability policy):

  • 11.0.3
  • 12.0.1
  • 12.0.2
  • 13.0.0

Customers can obtain these patch bundles from BackStage.

Issue #201604-01: User Impersonation via OAuth2 access tokens

Product: OpenAM
Affected versions: 11.0.0-11.0.3, 12.0.1-12.0.2, 13.0.0
Fixed versions: 12.0.3
Component: Core Server, Server Only
Severity: Critical

A specific type of request to the /openam/oauth2/access_token endpoint can result in obtaining OAuth2 access token on behalf of any user in the current realm.

Workaround:
Ensure that com.sun.identity.saml.checkcert advanced server property is set to on (default) so that basic certificate validation is being carried out. Additionally, you must verify that the OpenAM keystore does not contain expired and/or untrusted certificates.

If unsure, block all access to the /openam/oauth2/access_token endpoint.

Resolution:
Deploy the relevant patch bundle. Note that as part of the resolution several additional checks have been implemented for the SAML2 OAuth2 grant. After installing a patch you will need to perform the following additional steps:

  • The issuer of the assertion must be configured as a remote IdP
  • The audience of the assertion must be configured as a hosted SP
  • The hosted SP and the remote IdP must be in the same Circle Of Trust
  • The assertion parameter value MUST be Base64url encoded

Issue #201604-02: Open Redirect

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.2, 13.0.0
Fixed versions: 12.0.3
Component: Core Server, Server Only
Severity: High

The following endpoint does not correctly validate redirect URLs allowing an attacker to redirect an end-user to a site they control:

  • /openam/idm/EndUser

Workaround:
Block all access to the /openam/idm/EndUser endpoint

Resolution:
Deploy the relevant patch bundle and ensure that at least one whitelist URL is defined for the redirection validation to be applied.

Issue #201604-03: Cross Site Scripting

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.2, 13.0.0
Fixed versions: 12.0.3
Component: Core Server, Server Only, DAS
Severity: High

OpenAM is vulnerable to cross-site scripting (XSS) attacks which could lead to session hijacking or phishing.
The following endpoint was found vulnerable:

  • /openam/cdcservlet

Workaround:
Block all access to the /openam/cdcservlet endpoint.

Resolution:
Deploy the relevant patch bundle.

Issue #201604-04: Insufficient Authorization

Product: OpenAM
Affected versions: 11.0.0-11.0.3, 12.0.0-12.0.2, 13.0.0
Fixed versions: 12.0.3
Component: Core Server, Server Only
Severity: High

Due to insufficient authorization checks it is possible to modify arbitrary user attributes for a personal account when using the /json/users endpoint.

Workaround:
Disable the forgotten password feature in all realms:

  • Disable Forgot Password for Users under Legacy User Self Service service (13.0.0)
  • Disable Forgot Password for Users under User Self Service service (12.0.x)
  • Disable Forgot Password for Users under REST Security service (11.0.x)

Resolution:
Deploy the relevant patch bundle.

Issue #201604-05: Information Leakage via Account Lockout

Product: OpenAM
Affected versions: 13.0.0 (and versions with #201601 security patch applied)
Fixed versions: 12.0.3
Component: Core Server, Server Only
Severity: Medium

OpenAM can leak information about password correctness even when OpenAM’s Account Lockout feature is enabled, allowing brute-force attackers to guess passwords for end-users.

Workaround:
Disable Account Lockout in OpenAM, and utilize the underlying Data Store’s account locking capabilities.

Resolution:
Deploy the relevant patch bundle.

Issue #201604-06: Information Leakage

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.2, 13.0.0
Fixed versions: 12.0.3
Component: Core Server, Server Only
Severity: Medium

OpenAM can leak details about the home directory of the user running the OpenAM container.

Workaround:
Remove the /openam/nowritewarning.jsp file from the OpenAM WAR file.

Resolution:
Deploy the relevant patch bundle and delete the nowritewarning.jsp file from the OpenAM deployment.

OpenAM Web Policy Agent Security Advisory #201603

A security vulnerability has been discovered in the OpenAM Web Policy Agent. This issue is present in version 4.0.0 of the OpenAM Web Policy Agent.

This advisory provides guidance on how to ensure your deployments can be secured. A workaround and a patch is available for the issue.

The maximum severity of the issue in this advisory is Critical. Deployers should take steps as outlined in this advisory and apply the relevant update at the earliest opportunity.

The recommendation is to deploy the following maintenance release of the Web Policy Agent (in accordance with ForgeRock’s Maintenance and Patch availability policy): 4.0.1

Customers can obtain this updated Web Agent version from BackStage.

Issue #201603-01: Business Logic Vulnerability

Product: OpenAM Web Policy Agent
Affected versions: 4.0.0
Fixed versions: 4.0.1
Component: Web Agent
Severity: Critical

Description:

When the Agent not enforced list contains a wildcard entry it may be possible to access any protected resource on the server without the need for authorization.

Workaround:

Set ‘com.sun.identity.agents.config.ignore.path.info.for.not.enforced.list’ to false and define explicit security rules for your website not-enforced resources.

Alternatively, set ‘com.forgerock.agents.notenforced.url.regex.enable’ to true and use regular expression based ‘not-enforced rules’ as per OpenAM Web Policy Agent User’s Guide › Configuring Web Policy Agents › Configuring Web Policy Agent Application Properties, instead of the older wildcard approach. Even so, explicit ‘not-enforced rules’ will need to be created.

However, it should be noted that neither of these workarounds will work well with dynamic URLs. In this instance, the only solution is to upgrade to the 4.0.1 Web Agent Release.

Resolution:

Use the workaround or deploy the relevant 4.0.1 Web Policy Agent Release.

OpenIDM Security Advisory #201602

Security vulnerabilities have been discovered in OpenIDM components. These issues are present in versions of OpenIDM including 3.x and 4.0.x.

This advisory provides guidance on how to ensure your deployments can be secured. Workarounds or patches are available for all of the issues.

The maximum severity of issues in this advisory is High. Deployers should take steps as outlined in this advisory and deploy the recommended workarounds or resolutions as described within each issue below.

Issue #201602-01: Unencrypted Repo JDBC Password

Product: OpenIDM
Affected versions: 3.0.0, 3.1.0, 4.0.0
Fixed versions: n/a
Component: OpenIDM JDBC Repository Server
Severity: High

JDBC Repository passwords are no longer auto-encrypted by OpenIDM when the repository is activated. As a result, the password stored within the repository configuration as well as those written to the JSON configuration files (repo.jdbc.json or datasource.jdbc-default.json) and the OpenIDM log will appear in clear-text.

Workaround:
Manually encrypt the JDBC Repository password using the OpenIDM Command-Line Interface as detailed in the following Knowledge Article: Repository password is not encrypted in OpenIDM 3.x or 4.x log and configuration files.

Resolution:
None.

OpenAM Security Advisory #201601

Security vulnerabilities have been discovered in OpenAM components. These issues may be present in versions of OpenAM including 12.0.x, 11.0.x, 10.1.0-Xpress, 10.0.x, 9.x, and possibly previous versions.

This advisory provides guidance on how to ensure your deployments can be secured. Workarounds or patches are available for all of the issues.

The maximum severity of issues in this advisory is Critical. Deployers should take steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation is to deploy the relevant patches. Patch bundles are available for the following versions (in accordance with ForgeRock’s Maintenance and Patch availability policy):

  • 10.0.2
  • 11.0.3
  • 12.0.1
  • 12.0.2

Customers can obtain these patch bundles from BackStage.

Issue #201601-01: Open Redirect

Product: OpenAM
Affected versions: 9.5.5, 10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.2
Fixed versions: 13.0.0
Component: Core Server, Server Only, DAS
Severity: Critical

Due to a bug in the goto URL validation system it was possible to perform Open Redirect attacks by sending the end-users to specially constructed URLs that were considered valid by the goto URL validator.

Workaround:
Enable the XUI, which is not vulnerable to this issue.

Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201601-02: Potential Denial of Service attack in multi-site deployments

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.2
Fixed versions: 13.0.0
Component: Core Server, Server Only
Severity: High

Multi-site deployments of OpenAM which share the same load-balancer are vulnerable to a Denial of Service attack using carefully crafted requests.

Workaround:
Configure load-balancers to only route requests for a single site and not to re-route any requests for a different site.

Resolution:
Deploy the workaround or update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201601-03: Cross Site Scripting

Product: OpenAM
Affected versions: see below
Fixed versions: 13.0.0
Component: see below
Severity: High

OpenAM is vulnerable to cross-site scripting (XSS) attacks which could lead to session hijacking or phishing.
Affecting 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3 and 12.0.0-12.0.2:
/openam/federation/* (Core Server)
/openam/saml2/jsp/exportmetadata.jsp (Core Server, Server Only)
/openam/WSFederationServlet/metaAlias (Core Server, Server Only)

Affecting 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3 and 12.0.0-12.0.2:
/openam/oauth2c/OAuthLogout.jsp (Core Server, Server Only)

Workaround:
Protect the listed endpoints with the container (for example using the mod_security Apache module) or filter external requests until a patch is deployed.

Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201601-04: Open Redirect

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.2
Fixed versions: 13.0.0
Component: Core Server, Server Only
Severity: High

The following obsolete ID-FF federation endpoints did not correctly validate redirect URLs allowing an attacker to redirect an end-user to a site they control:
/openam/consentHandler
/openam/federation

Workaround:
Block access to the listed endpoints with the container (for example using the mod_security Apache module) or filter external requests until a patch is deployed.

Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201601-05: Business Logic Vulnerability

Product: OpenAM
Affected versions: 12.0.0-12.0.2
Fixed versions: 13.0.0
Component: Core Server, Server Only
Severity: High

If more than one realm is configured in OpenAM it is possible for a user in one realm to generate security tokens for a different realm via the REST STS.

Workaround:
Block access to the following URI:
/openam/rest-sts/*

Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201601-06: Business Logic Vulnerability

Product: OpenAM
Affected versions: 12.0.0-12.0.2
Fixed versions: 13.0.0
Component: Core Server, Server Only
Severity: High

If more than one realm is configured in OpenAM it is possible for an OAuth2 client in one realm to obtain an OAuth2 access_token for a different realm.

Workaround:
Block access to the following URI:
/openam/oauth2/access_token

Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201601-07: Open Email Relay

Product: OpenAM
Affected versions: 11.0.0-11.0.3, 12.0.0-12.0.2
Fixed versions: 13.0.0
Component: Core Server, Server Only
Severity: High

If the self-service interfaces are enabled it is possible for an attacker to send email using the configured email server.

Workaround:
Disable all user self-service interfaces in Configuration > Global > User Self Service and for any realms you have enabled it for in [realm] > Services > User Self Service.

Resolution:
Important Note:
This is a backwards-incompatible change, the forgotPassword and register actions are now utilizing localized messages defined in RestSecurity.properties. To define different subjects and messages per realm, please utilize the new “Localization Bundle” setting in the User Self Service service.
Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201601-08: Previous Administrator Password Still Valid

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.2
Fixed versions: 13.0.0
Component: Core Server, Server Only
Severity: High

After changing the administrator (amAdmin) password it is possible to log in using the old password until the new password has been used once.

Workaround:
After changing the administrator password, log in once using the new password on each server in the deployment or restart all servers.

Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201601-09: Insufficient Authorization

Product: OpenAM
Affected versions: 12.0.0-12.0.2
Fixed versions: 13.0.0
Component: Core Server, Server Only
Severity: High

If the Device ID Match/Save modules are used, it is possible for an attacker to access saved device profiles for another user and use them to spoof that user’s device.

Workaround:
Block access to the following endpoint:
/openam/json/users/*/devices/trusted/
Where * should match any user id.

Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle. If you believe that a user’s device profiles may have been compromised then you should disable Device ID Match modules.

Issue #201601-10: Information Leakage

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.2
Fixed versions: 13.0.0
Component: Core Server, Server Only
Severity: Medium

It is possible to obtain information about which accounts exist on the system by sending carefully crafted requests to the following endpoints:
/openam/json/authenticate
/openam/identity/authenticate
/openam/identity/xml/authenticate
/openam/identity/json/authenticate

Workaround:
Block access to the following endpoints:
/openam/json/authenticate
/openam/identity/authenticate
/openam/identity/xml/authenticate
/openam/identity/json/authenticate

Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201601-11: Open Redirect

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.2
Fixed versions: 13.0.0
Component: Core Server, Server Only, DAS
Severity: Medium

If relative goto URLs are added to the redirect URL whitelist an attacker can use a carefully crafted URL to redirect end-users to a different destination.

Workaround:
Ensure that all whitelisted redirect resources are in absolute format, i.e. they have protocol scheme defined.

Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201601-12: OATH Replay Vulnerability

Product: OpenAM
Affected versions: 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.2
Fixed versions: 13.0.0
Component: Core Server, Server Only
Severity: Medium

If OATH TOTP authentication is enabled an attacker who is able to intercept a TOTP code may be able to replay it within the same TOTP time step.

Workaround:
Disable OATH TOTP authentication or reduce the time step size to mitigate the vulnerability.

Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201601-13: Open Redirect

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.2
Fixed versions: 13.0.0
Component: Core Server, Server Only
Severity: Medium

Using a carefully crafted request an attacker may be able to redirect an end-user to a non-validated redirect URL. The attacker must be able to set cookies in the same domain as OpenAM. The following endpoint is vulnerable:
/openam/cdcservlet

Workaround:
Block access to the following endpoint if you are not using CDSSO:
/openam/cdcservlet

Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle

Issue #201601-14: Content Spoofing Vulnerability

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.2
Fixed versions: 13.0.0
Component: Core Server, Server Only
Severity: Medium

Using a carefully crafted request an attacker can display plain text messages within the content of a valid page.

Workaround:
Block access to the following endpoints:
/openam/validatorFooter.jsp
/openam/validatorWait.jsp

Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201601-15: Password Logging

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.2
Fixed versions: 13.0.0
Component: Core Server, Server Only
Severity: Low

If MESSAGE-level debug logging is enabled the SecurID module logs passwords in plain text.

Workaround:
Disable MESSAGE-level debug logging in all production environments.

Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.

OpenDJ Security Advisory #201508

Two security vulnerabilities have been discovered in all released versions of OpenDJ.

This advisory provides guidance on how to ensure your deployments can be secured.  Workarounds or patches are available for the issues, which will also be included in the forthcoming OpenDJ 2.6.4 maintenance release.

The severity of the issues in this advisory is Medium. Deployers should take steps as outlined in this advisory and apply the relevant update at the earliest opportunity.

The recommendation is to deploy the relevant patch or to upgrade to OpenDJ 2.6.4 when it becomes available.

Combined patches fixing all OpenDJ security advisories are available to customers for OpenDJ 2.6.0 – 2.6.3 from BackStage. Customers with other deployed patches should contact the support organization to obtain an updated patch. Customers running earlier releases need to upgrade. The fixes are also present in the community “trunk” nightly builds.

Issue #201508-01: LDAP read entry controls reveal protected attributes.
Product: OpenDJ
Affected versions: 2.4.0 – 2.4.6, 2.5.0-Xpress1, 2.6.0 – 2.6.3
Fixed versions: n/a
Component: Core Server
Severity: Medium

OpenDJ supports controls allowing an LDAP user to read and return the target entry of an update operation as part of the update operation itself. If the update operation succeeds, the target entry attributes should be returned subject to access control checks. These access control checks were not performed by OpenDJ, and the server would incorrectly return any attribute from the target entry.

The vulnerability can be exploited if the LDAP user performing the update has all of the following:

  • allowed access to use either the 1.3.6.1.1.13.1 or 1.3.6.1.1.13.2 controls;
  • allowed access to update (add/modify/delete/rename) an entry;
  • denied access to reading certain attributes on the entry being updated.

By default the impact is low because in OpenDJ anonymous users may not use these controls. By default authenticated users may only update their own entries, and anonymous users are read-only. By default users are prevented from reading only a few operational attributes from their own entry.

Customers with customized access control policies may wish to review them with ForgeRock support.

Workaround:

To prevent the vulnerability from being exploited, a simple solution is to temporarily restrict permission to use the two controls to trusted users until the patch is deployed. Ideally this would be done using the dsconfig command to identify the global ACI that allows the use of the two controls, and to then remove those two controls from that ACI’s targetcontrol list. Instructions for using dsconfig are in the OpenDJ Administration Guide.

A simple alternative would be to temporarily restrict the use of controls to RootDN users using the following ldapmodify command. Replace the parameters in italics:

ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -j passwd.txt
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (targetcontrol="1.3.6.1.1.13.1 || 1.3.6.1.1.13.2")
 (version 3.0; acl "ForgeRock Security advisory 201508";
 deny(read) userdn="ldap:///anyone";)
-

Note: These controls are rarely used but you must test your applications to make sure they will not be affected. OpenAM does not use these controls and will not be affected. OpenDJ’s REST interfaces use these controls if the “readOnUpdatePolicy” configuration for an endpoint is set to “controls”.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch.

Issue #201508-02: OpenDJ Administration Connector doesn’t reject anonymous operations.
Product: OpenDJ
Affected versions: 2.4.0 – 2.4.6, 2.5.0-Xpress1, 2.6.0 – 2.6.3
Fixed versions: n/a
Component: Core Server
Severity: Medium

OpenDJ has a global configuration parameter called “reject-unauthenticated-requests” that can be set to disallow any non-authenticated request. This provides an additional layer of protection in the server in addition to the normal access control protection. This parameter is used on any LDAP and LDAPS connection handlers (e.g. on port 389 and 636) however it was not used on the administration connector interface, which is typically on port 4444.

The parameter is set to “false” by default.

The bug’s impact is low, as access controls should always be used to enforce basic security and restrict the ability of non-authenticated connections to read or modify data.

Workaround:

Access controls should always be used to limit the data that non-authenticated connections can access. System-level firewall rules could be used to restrict access to the administration connector from only selected systems.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch.

OpenAM Security Advisory #201507

Security vulnerabilities have been discovered in OpenAM components. These issues may be present in versions of OpenAM including 12.0.x, 11.0.x, 10.1.0-Xpress, 10.0.x, 9.x, and possibly previous versions.

This advisory provides guidance on how to ensure your deployments can be secured. Workarounds or patches are available for all of the issues.

The maximum severity of issues in this advisory is Critical. Deployers should take steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation is to deploy the relevant patches. Patch bundles are available for the following versions (in accordance with ForgeRock’s Maintenance and Patch availability policy):

  • 10.0.2
  • 11.0.2
  • 11.0.3
  • 12.0.0
  • 12.0.1
  • 12.0.2

Customers can obtain these patch bundles from BackStage.

Issue #201507-01: Business Logic Vulnerability

Product: OpenAM
Affected versions: 11.0.0-11.0.3, 12.0.1-12.0.2
Component: Core Server, Server Only
Severity: Critical

A specific type of request to /openam/frrest/oauth2/token endpoint can expose user tokens to another user.

Workaround:

Block all access to the /openam/frrest/oauth2/token endpoint.

Resolution:
Use the workaround or deploy the relevant patch bundle.

Issue #201507-02: Cross Site Scripting

Product: OpenAM
Affected versions: 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.2
Component: Core Server, Server Only
Severity: High

OpenAM is vulnerable to cross-site scripting (XSS) attacks which could lead to session hijacking or phishing.
Affecting 9-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3 and 12.0.0-12.0.2:

  • /openam/ccversion/Masthead.jsp

Affecting 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.3 and 12.0.0-12.0.2:

  • /openam/oauth2c/OAuthProxy.jsp

Workaround:

Protect the listed endpoints with the container (for example using the mod_security Apache module) or filter external requests until a patch is deployed.

Resolution:
Use the workaround or deploy the relevant patch bundle.

OpenAM Security Advisory #201506

Security vulnerabilities have been discovered in OpenAM components. These issues are present in versions of OpenAM including 12.0.x and 11.0.x.

This advisory provides guidance on how to ensure your deployments can be secured. Workarounds or patches are available for all of the issues, which are also included in the 12.0.2 maintenance release.

The maximum severity of issues in this advisory is Critical. Deployers should take immediate steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation is to upgrade to OpenAM 12.0.2 or deploy the relevant patches. Patch bundles are available for the following versions:

  • 11.0.3
  • 12.0.0
  • 12.0.1

Customers can obtain these patch bundles from BackStage.

Issue #201506-01: Thread-safety issues with CTS when encryption is enabled

Product: OpenAM
Affected versions: 11.0.0-11.0.3 and 12.0.0-12.0.1
Fixed versions: 12.0.2
Component: Core Server, Server Only
Severity: Critical

When the Core Token Service token encryption is enabled and the system is under a heavy load, it is possible that incorrect session/SAML/OAuth2 tokens are returned by the CTS.

Workaround:

Disable token encryption by setting the following property to false:

com.sun.identity.session.repository.enableEncryption

in the OpenAM console via Configuration -> Servers and Sites -> Default Server Settings -> Advanced or via ssoadm:

ssoadm update-server-cfg --servername default --adminid amadmin --password-file /tmp/pwd.txt --attributevalues com.sun.identity.session.repository.enableEncryption=false

This setting is false by default.

Note:

By changing this setting, any existing encrypted tokens stored in CTS will become unreadable by OpenAM.

Resolution:
Use the workaround or update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201506-02: Possible user impersonation when using OpenAM as an OAuth2/OIDC Provider

Product: OpenAM
Affected versions: 10.1.0-Xpress, 11.0.0-11.0.3, 12.0.0-12.0.1
Fixed versions: 12.0.2
Component: Core Server, Server Only
Severity: High

When using multiple realms, it is possible for an authenticated user in realmA to acquire OAuth2 and OpenID Connect tokens that correspond to realmB.

Workaround:

None.

Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.